Governance of Dual-Use Technologies: Theory and Practice

Concluding Observations

Back to table of contents
Authors
Elisa D. Harris, James M. Acton, and Herbert Lin
Project
Global Nuclear Future

Elisa D. Harris


Technological Characteristics and Governance Prospects

In a 2006 study the U.S. National Academy of Sciences suggested thinking about the proliferation potential of nuclear, biological, and cyber weapons as a continuum or line, with the weapons whose spread was most amenable to nonproliferation efforts—nuclear—on the far left, and the weapons offering the most limited opportunities—cyber—on the far right. Biological weapons fell somewhere between them: not as amenable to nonproliferation efforts as nuclear, but not as limited as cyber.1 The governance potential of these technologies can be thought of as a similar continuum or line, with the technology most amenable to governance efforts—nuclear—again on the far left, and the technology with the most limited opportunities—information technology—on the far right. Biological technology is again somewhere between them.

As the preceding chapters have demonstrated, the position of each of these technologies on a governance continuum is closely related to its characteristics—its history and potential uses; the nature and availability of the relevant material and equipment; the level of effort required to use it for destructive purposes; and its possible effects (see Table 5). Nuclear technology has a special history, having begun as a military technology developed by the government for weapons purposes that later was exploited for civilian applications, primarily energy and research. National governments were and remain central to the development and use of nuclear technology, even in countries where utilities or other private sector entities operate nuclear facilities.

The opposite is true for biological and information technology, which were first and foremost civilian technologies whose destructive potential was recognized only after their legitimate uses had been well established. Biological materials and equipment have extensive civilian uses, including in research, medicine, and agriculture. Information technology also has an unlimited number of legitimate applications. Governments have played an important role in the development and use of both technologies. The first applications of modern information technology, computers, were for military purposes such as code breaking and computations for the atomic bomb. But the most important stakeholders in both the biological and information technology areas are private entities: academic institutions, companies, and individuals.2

The nature and availability of the material and equipment, as well as the level of effort needed to use nuclear, biological, and information technology for destructive purposes, also are very different. In the case of a nuclear explosive device, the number of key materials (primarily highly enriched uranium and separated plutonium) and key technologies (enrichment and reprocessing) are limited, although other dual-use materials (such as low enriched uranium and spent fuel) and technologies (nuclear reactors) can also be used. There also are a relatively limited number of countries that possess or can supply the necessary technology. Moreover, although nonstate actors may be able to acquire a so-called dirty bomb, developing a nuclear weapon that will not only work but can be delivered successfully to a target is extremely challenging and costly and requires a dedicated national program.3

In contrast to nuclear weapons, a much wider array of materials and equipment can be used to develop biological warfare agents. More than 125 “conventional” pathogens and toxins and nine categories of equipment currently are controlled by Australia Group members because they can be used to produce biological warfare agents. Synthetic biology and other advances in science and technology are expanding the number of potential threat agents still further, as well as the range of practitioners, which includes not only researchers in academic or private laboratories but engineers and others outside the scientific community. Many of the materials and items of equipment used by this broader universe of practitioners are globally available, making the creation of modified or novel pathogens easier and cheaper than ever before. Yet even as the number and type of actors who could develop a dangerous pathogen has proliferated, producing a weapons-grade biological warfare agent and disseminating it effectively remains both technically and operationally much more difficult than generally is believed.


Table 5: Characteristics of Nuclear, Biological, and Information Technology

Nuclear Technology Biological Technology Information Technology
Military origins Civilian origins Civilian origins
Weapons-grade materials difficult, costly to produce Modified and novel pathogens increasingly easy and cheap to produce; weaponization and dissemination difficult Many cyber weapons very easy, cheap to produce;
higher-end uses challenging
Separated plutonium, highly enriched uranium, low enriched uranium, spent fuel, enrichment and reprocessing equipment, nuclear power reactors > 125 pathogens and toxins; 9 categories of equipment; threat agents increasing with technological advances No special materials or facilities; billions of computers with underlying information technology
15 countries with enrichment and/or reprocessing plants; < 10 countries supply enrichment and reprocessing technology and nuclear reactors Created, stored, and used at wide range of laboratories (government, academic, industry) and private facilities in many countries Computers and information technology ubiquitous
Limited nonmilitary applications: energy, research Extensive legitimate applications (e.g., research, medicine, agriculture), including biodefense countermeasures Unlimited legitimate applications
Can cause massive loss of human life and physical destruction Can cause massive loss of life (human, animal, and plant) and can contaminate physical infrastructure Can cause nuisance, large-scale commercial and economic damage; loss of life indirectly

Source: Adapted in part from Jonathan B. Tucker, “Preventing the Misuse of Pathogens: The Need for Global Biosecurity Standards,” Arms Control Today 33 (5) (June 2003): 3–10.


Rather than special materials or facilities, the key technology used in cyber weapons is information technology. Information technology is available wherever computers are available. Initially, the small number of computers was the determining factor in limiting hostile applications of information technology. Today, an estimated fifteen billion devices around the world are connected to the Internet, a significant portion of which are computers, and the number is growing.4 Except for high-end uses, cyber weapons also are orders of magnitude easier and cheaper to produce than nuclear explosive devices or biological weapons, as anyone with access to a computer can, in principle, develop such a weapon.

A final characteristic that has influenced the governance potential of each of these technologies is its destructive effects. Since the attacks on Hiroshima and Nagasaki in 1945, it has been clear that nuclear technology can be used to cause massive loss of life as well as physical damage. While no comparable use of biological technology has occurred, the potential impact, particularly of a highly lethal agent that can spread from person to person, also has been recognized for many years. These concerns about the mass-destruction effects of nuclear and biological weapons have helped stimulate efforts to prevent the spread and use of the relevant technologies, including the negotiation of the Treaty on the Non-Proliferation of Nuclear Weapons (NPT), the Biological Weapons Convention (BWC), and many of the other governance measures discussed in the preceding pages.

In contrast to nuclear and biological weapons, cyber weapons have been used repeatedly and, in some cases, on a large scale for hostile purposes by both national governments and other actors. Some cyberattacks, such as the attack on Estonia’s government and media websites and banking services, have resulted in lengthy denials of service throughout the attacked country. Others, like the attack on the Saudi national oil company’s computers, disrupted important commercial activities. Still others, such as the Stuxnet attack on Iran’s uranium enrichment centrifuges, destroyed vital computer-controlled machinery. A number of other cyberattacks, such as the data breach at the retailer Target, have put tens of millions of customer records at risk. But none of these attacks has led to concerted efforts to control the use of cyber weapons, perhaps in part because no human lives were lost.

These characteristics of nuclear, biological, and information technology go a long way toward explaining the three technologies’ differing governance potential. Nuclear technology has been more amenable to governance efforts because its enormous destructive potential has been clear from the outset and because the principal actors involved have been national governments. Even where commercial and other private entities have a stake in nuclear policy, those interests generally are addressed in the internal deliberations within government. Moreover, the dual-use nuclear items that have been the focus of governance, the countries that can supply those items, and the dual-use activities in which they are used are relatively limited, all of which have facilitated governance efforts.

By comparison, everything about cyber weapons runs counter to governance: the underlying technology and the computers on which it is used are deeply embedded in civilian society around the world; the production of most cyber weapons requires no special materials or facilities; and the range of stakeholders—anyone with access to information technology and a computer—is virtually unlimited. Moreover, unlike nuclear and biological weapons, cyber weapons can put human lives at risk only indirectly by, for example, targeting critical infrastructure such as nuclear and chemical facilities, gas pipelines, transit systems, and water supplies.

Biological technology occupies a position between nuclear and information technology on a governance continuum. Biological technology has far more civilian applications than nuclear technology, but it is not ubiquitous, as is the case with information technology. The range of biological materials and equipment that could produce a highly dangerous pathogen is much larger than with nuclear technology but, even with advances in science, not as widespread as the computers used to launch cyber attacks. The universe of actors that have a stake in biological governance continues to expand well beyond those engaged in nuclear activities but does not include every level of society, as with information technology.


Existing Dual-Use Governance Measures

Given these differences, it is not surprising that a side-by-side comparison of the types of governance measures that have been adopted in these technology areas reveals the greatest common ground between nuclear and biological technology. As Table 6 shows, various international and national measures have been adopted in an effort to prevent dual-use nuclear and biological technology from being used for weapons purposes. The NPT and the BWC have been central to these efforts, embodying both the norm against destructive applications of these technologies and the specific obligations that give it legal effect. At the national level, many countries have adopted legislation criminalizing the activities prohibited by the treaties and, in the case of the NPT, authorizing International Atomic Energy Agency (IAEA) inspections and monitoring of their civilian nuclear activities.

A much wider range of international and national efforts have sought to control access to dual-use nuclear and biological materials, equipment, and information. Some, such as the export control harmonization activities of the Zangger Committee, the Nuclear Suppliers Group (NSG), and the Australia Group, have focused on denying other countries access to technology that could be used to develop nuclear and biological weapons and thus are important complements to the NPT and BWC. Preventing the spread of weapons and related technology to other countries was also the initial aim of the U.S. Nunn-Lugar Cooperative Threat Reduction program, which helped Russia and other former Soviet republics secure nuclear, biological, and other materials, dismantle former biological weapons facilities, and redirect former weapons scientists to peaceful activities.

Many other measures, particularly since September 11, have sought to deny terrorists access to technology that could be used to develop nuclear and biological weapons. This has been done through a variety of means. For example, under United Nations Security Council Resolution (UNSCR) 1540, all UN member states are obligated to adopt national legislation to prevent terrorists from obtaining materials, equipment, and information for nuclear, biological, and other weapons. Other measures, such as the Proliferation Security Initiative (PSI) and the IAEA Illicit Trafficking Database, are designed to help countries track and interdict illegal shipments of dual-use materials. Even international industry groups have become involved, with nuclear power plant exporters and two synthetic biology industry associations committing to screen customer orders for the dual-use items they sell. On a national level, antiterrorism legislation in the United States and other countries has tightened domestic controls on biological materials and facilities, as well as on the individuals who have access to them. Similar efforts have been undertaken to ensure the security and safety of domestic nuclear facilities and materials.

Finally, international and national measures have been developed to promote the safe and secure handling and use of dual-use nuclear and biological technology. This includes guidelines on nuclear security issued by the IAEA and guidelines on biosafety and biosecurity issued by the World Health Organization (WHO). It also includes the codes of ethics and conduct promulgated by various international and national scientific organizations to discourage destructive applications of biology. In addition to these nonbinding measures, European Union (EU) member states have enacted controls on the safe handling of genetically modified organisms, based on EU regulations and directives, and Israel and Denmark have enacted legislation requiring prior review and approval of certain categories of dual-use biological research that could raise security concerns.


Table 6: Governance of Nuclear, Biological, and Information Technology

Governance Measure Nuclear Technology Biological Technology Information Technology
International Initiatives Outlawing Hostile/Weapons Activities
Prohibition on development and possession of dual-use (DU) materials for weapons purposes Partial
(NPT)
Yes
(BWC)
No
Prohibition on assisting other countries to acquire DU materials for weapons purposes Yes
(NPT)
Yes
(BWC)
No
International oversight of national DU activities and materials to ensure nonuse for weapons purposes Yes
(IAEA safeguards)
No No
Commitment to adopt national laws outlawing hostile/weapons activities with DU materials Yes
(NPT)
Yes
(BWC)
Yes
(Budapest Convention)
International Efforts to Control Access to DU Materials
Requirement to share information on terrorists’ efforts to acquire DU materials Yes
(UNSCR 1373)
Yes
(UNSCR 1373)
No
Requirement for national measures to prevent terrorists’ acquisition/use of DU materials and equipment Yes
(Convention on Physical Protection of Nuclear Materials, amended)
Yes
(UNSCR 1540)
No
Commitment to harmonize national controls on transfers of DU materials and equipment to other countries Yes
(Zangger Committee and Nuclear Suppliers Group)
Yes
(Australia Group)
Yes
(Wassenaar
Arrangement)
Commitment to assist countries in eliminating weapons, material, and facilities and redirecting former weapons scientists in former Soviet Union and other countries Yes
(G8 Global Partnership)
Yes
(G8 Global Partnership)
No
Commitment to interdict shipments of DU materials to countries/terrorists Yes
(PSI)
Yes
(PSI)
No
Assistance to countries in tracking smuggling of DU materials Yes
(IAEA Illicit Trafficking Database)
No No
Assistance to countries in securing DU materials and strengthening laws prohibiting acquisition/use of DU-based weapons Yes
(IAEA Division of Nuclear Security
Yes
(INTERPOL Bioterrorism Prevention Program)
No
Commitment by industry to screen orders of DU materials and equipment Yes
(Nuclear Power Plant Exporters)
Yes
(International Association Synthetic Biology)
No
International Initiatives on the Handling of DU Materials
Guidelines for safe handling and use of DU materials Yes* Yes
(WHO manual)
No
Guidelines for security of DU materials Yes
(IAEA INFCIRC225)
Yes
(WHO manual)
No
Codes of ethics/conduct/practice Yes
(World Institute for Nuclear Security)
Yes
(InterAcademy
Panel)
No
National Initiatives on Hostile/Weapons Activities
Prohibition on use of DU materials for hostile/weapons purposes Yes
(IAEA safeguards implementing legislation)
Yes
(BWC implementing legislation)
Yes
(U.S. Computer Fraud and Abuse Act)
Review of DU R&D activities for compliance with international commitments outlawing hostile/weapons activities No Yes
(U.S. Department of Defense BWC Compliance Review Group)
No
National Efforts to Control Access to DU Materials
Controls on transfers of DU materials and equipment to other countries Yes
(export controls by NSG members)
Yes
(export controls by EU members)
Yes
(export controls by Wassenaar members)
Controls on domestic access to DU materials Yes
(U.S. Nuclear Regulatory Commission [NRC] licensing condition)
Yes
(U.S. select agent rules)
No
Controls on facilities that possess and use DU materials Yes
(U.S. NRC licensing condition)
Yes
(UK Anti-Terrorism Crime and Security Act)
No
Controls on individuals with access to DU materials Yes
(U.S. NRC licensing condition)
Yes
(Canadian Human Pathogens and Toxin Act)
No
Commitment to eliminate weapons, material, and facilities and to redirect former weapons scientists in former Soviet Union and other countries Yes
(U.S. Nunn-Lugar)
Yes
(U.S. Nunn-Lugar)
No
Guidelines for industry screening of orders for DU materials No Yes
(U.S. gene sequence screening)
No
National Initiatives on the Handling of DU Materials and Information
Controls on safe handling/use of DU materials Yes* Yes
(EU genetically modified organism directives)
No
Requirements for oversight of DU research for security concerns No Yes
(Danish biosecurity act)
No
Processes for reviewing DU manuscripts for potential security concerns No Yes
(American Society of Microbiology journals)
No
Codes of ethics/conduct/practice No Yes
(Dutch Academy of Sciences)
Yes
(U.S. ACM code)

Note: The measures listed in parentheses are intended to be illustrative and thus in some cases do not reflect all of the relevant governance measures adopted.

*An extensive body of rules and guidelines concerns nuclear safety, but unlike in the biological area these are entirely distinct from nuclear nonproliferation and nuclear security measures.


In contrast to nuclear and biological weapons, cyber weapons have not been outlawed by international treaty and are in fact being used on a daily basis by a wide range of actors from teenage hackers to national governments. Some of these uses have been highly destructive of commercial and economic interests but thus far have not resulted in the loss of human life. International legal experts have argued that the laws of war and the UN Charter apply to cyberspace and, as such, that some uses of cyber weapons are not permitted. However, even governments like the United States that share this view have been unwilling to forgo the option of using cyber weapons. Moreover, as the experience with the Stuxnet computer worm attack on Iran’s nuclear program shows, whether a given use of a cyber weapon is legitimate looks very different depending on whether one is the initiator or the target of the attack.

It is not surprising, therefore, that only a handful of governance measures have been adopted to try to prevent destructive applications of information technology. Internationally, the forty-seven states that are parties to the Budapest Convention on Cybercrime have agreed to enact national legislation criminalizing certain behaviors in cyberspace, such as unauthorized access to a computer or illegal interception of data. Many of these countries, as participants in the Wassenaar Arrangement, also control the export of certain dual-use items that could be used in cyber weapons, such as equipment related to intrusion software or network surveillance systems. At the national level, legislation in various countries also has proscribed certain unauthorized uses of information technology, including to gain access to computers or to intercept electronic communications. In the United States, a society for computer professionals, ACM, also has issued a code of ethics for its members that prohibits them from using computing technology in ways that cause harm.


Challenges to Governance of Dual-Use Technology

As the previous chapters have shown, governance efforts in each of the three technology areas have faced serious challenges. Some are a direct result of technical considerations. This is clearly the case in the cyber area, where the absence of choke points, such as specific weapons-related materials or activities, renders efforts to govern the development of cyber weapons nearly impossible. Detecting work on nonnuclear components of nuclear weapons also is technically challenging because such activity does not have an obvious signature, unlike work with nuclear material, which leaves detectable traces.

Other challenges can be linked to scientific and technological advances. This is particularly true in the biological area, where synthetic biology is increasing the number of potential threat agents, the types of equipment used in their development, and the range of practitioners involved, thus greatly complicating efforts to control the transfer of or access to biological agents and technology.

Economic interests also have played an important role in blocking the adoption of governance proposals. This can be seen in the hostility of nuclear reactor exporting countries to tightening the conditions under which reactors or certain reactor components can be transferred to other countries. It also was apparent in the U.S. biotechnology and pharmaceutical industries’ opposition to on-site inspections during the failed effort to conclude a compliance protocol to strengthen the BWC.

Still other challenges reflect security interests. The NPT’s two-tier system of nuclear “haves” and “have-nots” was necessary because the five nuclear weapons states at the time the treaty was concluded were unwilling to forego the possession of nuclear weapons. Even today, the procurement decisions and operational policies of these countries demonstrate that they continue to see the possession of nuclear weapons as militarily necessary. Security interests also have played a role in the unwillingness of the United States or any other country to formally limit or ban the use of cyber weapons, which can be used in a variety of ways, often without revealing the source of the attack.

Finally, political considerations also have had a significant impact on dual-use governance efforts. Developing countries generally do not share the West’s concerns about the risks posed by dual-use biological research and in some cases see governance efforts as little more than a veiled attempt at technology denial. The same is true in the nuclear area, where countries without access to enrichment and reprocessing technology have refused to forego the right to acquire it and even some states that possess such technology have been unwilling to limit their ability to acquire new forms in the future. Efforts to govern cyber weapons also are viewed with little sense of urgency as, unlike nuclear or biological weapons, cyber weapons are not considered weapons of mass destruction whose spread and use must be blocked both internationally and nationally.


Governance Requirements: Key Lessons

These factors help explain the nature of the different governance measures that have been adopted in these three technology areas. They also underscore why a common governance approach is not feasible when it comes to managing the risks from dual-use technologies. This does not mean that the concept of dual-use technology is not useful and should be abandoned. On the contrary, as the previous chapters show, the concept provides a valuable analytical tool for identifying and assessing technologies that have the potential to cause large-scale loss of life or damage to commercial or economic interests even as they continue to be used for legitimate purposes. By analyzing three examples from this category of technologies, as the preceding pages have done, a number of broader lessons become apparent.

One lesson is that governments are unlikely to support restrictions on their use of dual-use technology unless the stakes are sufficiently high. To date, the stakes that have mattered most have been the possible risks to human life. This helps explain the willingness of so many technological “haves” to agree to forego the development of nuclear and biological weapons, as well as the corresponding lack of interest across the international community in restricting the development and use of cyber weapons.

A second lesson is that in the absence of genuine and broad agreement on the threat, governments are unlikely to support restrictions on their acquisition and use of dual-use technology unless the rewards for doing so are sufficiently high. This is demonstrated by the insistence of the technological “have-nots” on access to nuclear and biological technology as a quid pro quo for foregoing the acquisition of nuclear and biological weapons. It is also demonstrated by the experience of cyber weapons, whose underlying information technology already is widely available around the globe, thus limiting not only the security benefits but also any technology benefits that might accrue from supporting restrictions on technology used for cyber weapons.

Finally, unless governments and other relevant stakeholders view governance of dual-use technology as a collective responsibility, efforts to manage the relevant risks are likely to be limited at best. This is demonstrated by the lack of enthusiasm for bold proposals to strengthen the nuclear nonproliferation regime, such as former IAEA Director Mohamed ElBaradei’s suggestion to internationalize the nuclear fuel cycle. It is also demonstrated by the preference of scientists and scientific organizations for self-governance rather than independent oversight and for codes of conduct and other voluntary measures rather than legal requirements to address concerns about certain types of dual-use biological research. And it is demonstrated by the reluctance of national governments and the information technology industry to countenance measures other than export controls and codes of conduct to address the problem of cyber weapons.


Recent and Future Steps

Notwithstanding the pessimism reflected above, as this volume is being completed, there are indications of additional progress in managing the risks from the three dual-use technologies that are its focus. In the case of nuclear technology, the July 2015 agreement limiting Iran’s nuclear program in exchange for the lifting of economic sanctions has been approved by the Iranian Parliament and is now being implemented. This agreement, which was concluded by Iran, the P5+1 (the United States, United Kingdom, France, China, Russia, and Germany), and the European Union, includes unprecedented elements, including the application of advanced safeguards technology, transparency into Iran’s uranium supply chain, time-limited dispute resolution procedures for access to suspect sites, and snap-back sanctions procedures.5 These elements go beyond the terms of existing nuclear nonproliferation measures and, as such, may serve as a model not only for resolving concerns about other nuclear weapons programs but also for strengthening the broader international nuclear nonproliferation regime.

In the cyber area, progress has been made toward creating what President Barack Obama calls “an architecture to govern behavior in cyberspace that is enforceable and clear.”6 This is seen in the September 2015 agreement by Presidents Xi Jinping and Obama not to conduct or knowingly support cyber-enabled theft of intellectual property. The two leaders also welcomed the July 2015 UN Group of Governmental Experts on Information, Telecommunications, and International Security (GGE) report on cybersecurity that, among other things, recommended that states not conduct or knowingly support cyber activity that intentionally damages or impairs the ability of critical infrastructure to provide services to the public.

Differences remain on whether the two nations’ cybersecurity commitment applies to cybercrime or the broader problem of cyber espionage and, potentially, on what is meant by critical infrastructure, which was not defined in the 2015 GGE report. Moreover, the United States has made clear that it could still impose sanctions on Chinese entities if they continue hacking U.S. companies, as appeared to be the case in the aftermath of the U.S.-China announcement.7 Nevertheless, China’s apparent willingness to forgo computer theft of intellectual property and cyberattacks on critical infrastructure represents an important step. The same is true of the subsequent statement by the G20, in November 2015, opposing cyber theft of intellectual property and affirming the role of the UN Charter in governing state behavior in the use of information and communications technologies.

In the case of biological technology, the U.S. government has taken modest steps to strengthen safety and security at facilities that work with select agents. Like the deliberative process for gain of function (GOF) research, these steps were a direct result of the incidents revealed in 2014 involving the mishandling of dangerous pathogens at federal facilities. In late 2015, the White House announced that it was moving forward with the recommendations in the December 2014 Federal Experts Security Advisory Panel (FESAP) report, including those involving select agent deactivation procedures, laboratory incident reporting, and high-containment laboratory requirements. Determining the latter is especially important given the proliferation of U.S. high-containment laboratories working with dangerous pathogens over the past decade. The White House also outlined its plans for implementing the recommendations of another review panel, the Fast Track Action Committee on Select Agent Regulations (FTAC-SAR), which had issued a report in October 2015. One of the committee’s most important recommendations is for international engagement to explore opportunities for harmonizing biosecurity standards, but it is not clear whether the administration agrees with this objective.

There is still much that the U.S. government should do to reduce the risks from biotechnology research. GOF studies of concern should be added to the select agent regulations. This can be done by the executive branch and does not require legislative action. A more robust approach to oversight of other types of dual-use research of concern should also be adopted. The experience of the past decade underscores what such an oversight process should entail. It should be mandatory and apply without exception to all relevant research, irrespective of whether the work is done in government or nongovernment institutions, or whether it is unclassified or classified. It should clearly define the categories of research that are subject to the oversight requirements, which should be coordinated and overseen by an independent federal entity. And as yet another expert committee has now recommended, it should seek to harmonize U.S. biosecurity requirements internationally.

All of this underscores a broader theme: rather than a single or best solution, measures aimed at governing dual-use technologies have been and will continue to evolve incrementally, focus on different aspects of the problem, and take various forms, as no individual measure on its own can effectively address the full range of potentially adverse consequences. This is clear in the multiplicity of measures that have been adopted over the past half century to manage the risks from nuclear and biological technology. Taken together, these measures have helped to prevent the development and use of these technologies for hostile purposes. They also have helped to control access to and promote the safe and secure handling of the materials, equipment, and information associated with them.

More can still be done—and needs to be done—by governments and other stakeholders to help prevent the use of nuclear, biological, and information technology from causing large-scale human, economic, or commercial harm. This study delineates some of the technical, scientific, economic, security, and political challenges facing those efforts. It also has identified some of the broader lessons from the governance experience with these technologies, including the potential for further measures, albeit incremental in nature, to help ensure that their social benefits can and will continue to be realized.


ENDNOTES

1. Institute of Medicine and National Research Council, Globalization, Biosecurity, and the Future of the Life Sciences (Washington, D.C.: National Academies Press, 2006), 53–56, http://www.nap.edu/catalog/11567/globalization-biosecurity-and-the-future-of-the-life-sciences.

2. Vernon Ruttan, The Role of the Public Sector in Technology Development: Generalizations from General Purpose Technologies, Science, Technology, and Innovation Discussion Paper no. 11 (Cambridge, Mass.: Harvard University, Center for International Development, 2001), http://www.cid.harvard.edu/archive/biotech/papers/discussion11_ruttan.pdf.

3. North Korea’s nuclear weapons program demonstrates, however, that even a relatively backward and financially strapped country can develop a nuclear capability if it is sufficiently determined and able to secure outside assistance.

4. Rob Soderbery, “How Many Things Are Currently Connected to the ‘Internet of Things’ (IoT)?” Forbes, January 7, 2013, http://www.forbes.com/sites/quora/2013/01/07/how-many-things-are-currently-connected-to-the-internet-of-things-iot/.

5. For details on the Iran agreement, see White House, “The Historic Deal That Will Prevent Iran from Acquiring a Nuclear Weapon,” n.d., https://www.whitehouse.gov/issues/foreign-policy/iran-deal.

6. David E. Sanger, “Path Set by U.S. and China to Limit Security Breaches May Be Impossible to Follow,” New York Times, September 26, 2015.

7. Julie Hirschfield Davis and David E. Sanger, “U.S. and China Agree to Rein in State-Sponsored Computer Thefts,” New York Times, September 26, 2015; and Paul Mozur, “Cybersecurity Firm Says Chinese Hackers Keep Attacking U.S. Companies,” New York Times, October 19, 2015.