Cloud Labs and the New Supply Chain for Bioterrorism

In 2005, the C.D.C. released into public circulation the full genome sequence of the 1918 influenza virus, one of the deadliest pathogens in modern history. The decision was defended as preparedness; by studying the virus that killed an estimated 50 million people, scientists hoped to improve surveillance, vaccines, and antiviral defenses. But even then, this was a failure of foresight. Once released, such information could not be contained, while the tools needed to use it were only going to become more accessible. The benefits were uncertain, but the danger was concrete; in the wrong hands, the sequence is a recipe for bioterrorism.

That was a dangerous decision in 2005. In the age of artificial intelligence, it is more dangerous still.

We still talk about A.I. as though it were trapped in the realm of text, as though it could advise, predict, and persuade but could not touch the world except through human hands. That assumption is becoming less true by the month. The rise of the "cloud lab" has sharply reduced the distance between a biological idea and a physical experiment. A cloud lab is an automated wet lab run remotely through software: A user enters instructions through a digital interface, robots execute the experiment, and the results come back electronically. RAND has warned that these remotely operated laboratories could become one of the clearest points of convergence between biotechnology, automation, and A.I.

The old architecture of biosecurity depended, often without saying so, on friction. Dangerous biology required dexterity, procedural feel, access to expensive instruments, and the patience to troubleshoot protocols that did not work as expected. Knowledge alone was not enough. One needed apprenticeship, equipment, a physical laboratory, and usually some institutional permission. These were never perfect safeguards. But they were safeguards.

What makes this moment different is that the practical barriers between knowing and doing are being removed from several directions at once. A dangerous sequence can circulate online. A synthesis provider can manufacture the fragments. A model can narrow the search space, suggest variants, interpret results, and propose next steps. A cloud lab can execute part of the workflow remotely. No one of these developments, on its own, makes dangerous biology easy. But together they begin to collapse a distinction we had grown used to trusting: the distinction between knowing and doing.

Consider a model like EVEscape, which was designed to estimate which viral mutations are most likely to evade antibodies. This is useful work. It can help researchers identify concerning variants earlier and buy time for vaccines and therapeutics. But the dual-use problem is built into the tool itself.¹ A system that helps defenders forecast immune escape can also help an attacker think more clearly about which changes might make a pathogen harder for existing immunity to catch. The same feature that makes the model valuable is what makes it dangerous.

The same is true of published pathogen blueprints. A recent paper in Nature Communications exposed a glaring weakness in current U.S. rules for synthetic DNA. Federal regulations cover intact select-agent sequences, but not short fragments that can be legally acquired and later assembled. The authors showed that by ordering pieces from dozens of DNA synthesis providers, they could collectively obtain enough material to recreate restricted sequences that the law is supposedly designed to protect. The larger point was not simply that a loophole exists. It was that our regulations remain fixated on finished objects while ignoring how dangerous capability is actually assembled in the real world: incrementally and across multiple actors and services.

Cloud labs intensify that problem by bringing distributed capability closer to physical execution. In February, OpenAI reported that GPT-5, connected to Ginkgo Bioworks' cloud laboratory, was able to design experiments, have the robotic lab execute them, ingest the results, and iterate through six rounds of closed-loop experimentation. The system tested more than 36,000 protein-synthesis reaction compositions across 580 automated plates and, according to OpenAI, reduced production cost by 40 percent. This announcement should have been immediately understood in Washington as evidence that our regulatory framework is out of date.

The point is not that current models can simply summon a civilization-ending pathogen out of thin air, and it is not that every remote lab is a weapons platform in disguise. The point is more structural, and therefore more serious: The barrier between advising on biology and doing biology is shrinking. For years, one of the stock reassurances about A.I. was that it could not act in the world on its own. But the cloud lab gives that reassurance a much shorter shelf life.

Our regulatory frameworks are not built for this. They are aimed mostly at materials, organisms, facilities, and people physically present in laboratories. They assume that dangerous work is local, visible, and institutionally bounded. But cloud labs make biology networked. The person initiating a risky experiment may never enter the building. The alarming pattern may emerge only when multiple harmless-looking requests are combined over time. A customer may split activity across providers, use intermediaries, and rely on automation to handle the tedious parts, leaving no single company with the full picture. This is exactly the sort of environment in which fragmented, voluntary oversight fails.

We should start by treating cloud labs as what they are becoming: critical cyberphysical infrastructure for biological work, not ordinary lab vendors with unusually elegant software. If a company allows remote users to specify biological experiments that are then executed by automation, that service should trigger a distinct federal licensing regime.

That regime should begin with rigorous customer screening. Identity should be verified, and institutional affiliations should be confirmed where relevant. Anonymous, intermediary, or suspicious purchasing structures should receive heightened scrutiny. RAND has proposed a cloud-lab security consortium that could standardize know-your-customer measures and tracking across providers. That is a useful idea, but it is not enough to hope the market will voluntarily coordinate on caution when caution can cost money. The state exists, among other reasons, to solve exactly this problem: the case in which the socially necessary precaution is commercially inconvenient.

But screening the customer is not enough. Providers also need to screen workflows. Free-form natural-language input tied to physical biological execution should be treated as a high-risk interface. Some kinds of work may need to move through constrained protocol templates, validated libraries, or tiered permissions rather than open-ended text entry. When the user is effectively programming a robotic laboratory, interface design becomes a safety issue. We learned long ago in aviation, nuclear power, and drug manufacturing that the form of the system matters as much as the formal rules around it. Biology should stop pretending it is exempt from this lesson, especially now that A.I. is accelerating the speed, scale, and accessibility of biological work.

Cloud labs should also be required to maintain comprehensive, queryable logs of executed tasks, relevant parameters, generated data, and linked accounts, with retention rules and lawful access mechanisms for threat detection. One reason older biosecurity systems sometimes worked was that dangerous activity left thick local traces (i.e. inventory records, physical access logs, supervisors, procurement histories, institutional review). Remote biology threatens to disperse those traces across software layers and multiple vendors. Regulation should force them back into view.

They should also undergo regular third-party red teaming of both their digital systems and physical workflows.² A modern cloud lab can be misused through identity fraud, social engineering, protocol decomposition, API abuse, insider threat, or combinations of routine tasks whose significance appears only in aggregate. This is not merely a cybersecurity problem or merely a biosafety problem. It is a hybrid problem, which means the oversight has to be hybrid too.

And cloud-lab policy cannot be separated from DNA-synthesis policy. It is pointless to harden one half of the system while leaving the other porous. If dangerous fragments remain easy to obtain through regulatory loopholes, and if remote automated labs continue to lower the friction of experimentation, then the government will be regulating only the most visible part of a chain it refuses to map in full. Our rules are still organized around the fantasy that dangerous capability arrives in one piece, from one source, in one place. Increasingly, it does not.

There should also be mandatory incident reporting. Suspicious customer behavior, attempted protocol evasion, anomalous usage patterns, near misses, and discovered vulnerabilities should not remain private trivia inside firms. Aviation became safer partly because incident reporting became normalized and structured before every failure became catastrophic. Biology needs an equivalent habit, and it needs it before some spectacular event forces one into existence under panic.

None of this is an argument for abolishing cloud labs. Quite the opposite. It is an argument for governing them early enough that their legitimate uses remain politically and socially sustainable. The lesson of high-risk infrastructure is always the same: When government waits for the spectacular failure, the eventual response is more likely to be panicked and poorly designed. As I have argued before, early regulation is not the enemy of technological progress; in industries where the downside risk is systemic, it is often the condition that makes progress durable.

The deeper obstacle is cultural. Biology still carries a strong presumption that openness is virtuous, friction is reactionary, and scientific infrastructure should be judged mainly by how much it accelerates discovery. That culture was easier to defend in a world where the hardest part was assembling enough talent, equipment, and institutional coordination to do difficult things at all. It is harder to defend in a world where the central question is how cheaply, remotely, and automatically difficult things can now be done.

The 1918 genome release should have taught us that biological information can itself be dangerous. Immune-escape models should have taught us that useful tools can also serve offensive ends. The synthetic-DNA loophole should have taught us that rules aimed only at intact finished products are not serious rules at all. And the OpenAI-Ginkgo demonstration should teach us the next lesson: Cloud labs make these risks materially greater by shrinking the distance between dangerous biological ideas and their physical execution.

We still tend to imagine bioterrorism in the imagery of the last century: secret vials, rogue states, and hidden facilities. The emerging threat is more banal and more contemporary, a distributed commercial ecosystem in which dangerous biological capability is lowered piece by piece by sequence availability, model-guided design, remote experimentation, and patchy governance.

By the time the vial appears, the real failure will already be over. It will have happened earlier and more imperceptibly: in software that turned biology into a remote-execution environment, in policy that regulated dangerous materials but not the chain of services that can assemble dangerous capability, and in a culture too complacent to see that reduced friction is now itself a security problem. The vial is not the beginning of the story. It is the last visible artifact of a long series of avoidable decisions.