You're probably tired of hearing about this week's developments in the anthrax investigations (that started in 2001). Don't worry, I'm not about to launch into a time-line analysis or anything - but I would like to take this opportunity to talk about basic laboratory security.
With biological agents such as anthrax, you have some DNA fingerprints to follow when looking for the origin of the substance. In this case, they followed the DNA to a few labs that shared a specific strain of anthrax.
One of the labs was operated by Dr. Bruce E. Ivins, who of course committed suicide yesterday.
As I listened to details through the day, I was constantly reminded how important it is to have solid access control and access tracking when dealing with research substances that can be used as weapons.
This was not gunmen armed to the teeth, raiding labs to supply a terror plot. This was not secret agents repelling through ventilation ducts -
It was a respected but troubled researcher enacting what he thought to be a chance to test his cure, and bring problems he saw with research limitations to light.
It's not difficult to trace many "select agents" back to specific research institutions. But once the substances get into the labs, accountability tends to decrease rapidly. If you're just protecting against outside threats to your research or dangerous substances, you can easily loose sight of what's considered to be the most valid threat of all, your own people.
Most of the time, research labs are comprised of senior researchers, junior worker bees, and administrative staff. Only a limited number of staff members should work with the substances in question. Access to the select agents is restricted (they are locked up) and tracking forms / logs are filled out when they are used. In most settings, anything more advanced than that feels like overkill to everyone involved.
But as we see with Ivins, any internal threat is very difficult to pin down. His colleague, Steven Hatfill was being looked at first, and was eventually cleared last month (and given 5.8 million for the trouble).
Imagine how different the investigation would have went if there were solid access control and access tracking in place. I don't know the specifics of how things were set up in the Fort Detrick lab, but it sure doesn't sound like it was easy to track who accessed what substance and when they did it.
When everyone has to play along with strict access policy, it keeps people honest - and protects the staff (as long as they follow the rules). It may seem very restrictive - and "big brother-ish" at first, but the staff soon appreciates how much easier it is to swipe a card to open storage lockers and freezers, and not have to bother with writing out access logs.
Once something comes up missing, or a similar problem occurs - it's easy to see the benefits when you can easily conduct a database search and have a clear picture of who used the substances, who they were working with, and when all the access occurred. Even if you are honest it's easy to slip up when entering times and dates on a log sheet - or forget all-together. Integrated access systems can't be "pencil whipped" at the end of the month to account usage, you can't forget to use your badge to track your use of items or space when it's required to physically access it. They give you an accurate account of events, and do it in a way that's easy to find small scraps of information quickly.
Systems don't come out of the box ready to be configured for this kind of thing. But if you work with a reputable systems integrator - it's not hard to do. The best systems are designed to be integrated, and believe it or not - it's not too expensive either.
Ivins didn't fit the profile of what most people protect against, he was a leader in his field, recipient of the Decoration for Exceptional Civilian Service for his anthrax vaccine work. He wasn't the guy you'd spend time and money to protect against, yet he killed five people with anthrax laced letters in his attempt to test his cure and crippled political, postal and logistical operations across the country.
Fences, gates, cameras and alarms don't protect against that kind of threat, only solid access control and tracking practices can be effective - and sadly - they usually are not in place.
