Security

How to manage cyberbiosecurity risks before a malware attack strikes

Cyberbiosecurity risks include encoding digitized DNA with malware and compromising computers used for biomanufacturing processes. Learn three ways to mitigate cyberbiosecurity risks.

It is a brave new world. Not unlike software developers who use code to create programs, genetic engineers use software to create digital representations of genes. With that information, scientists can use chemical processes to produce synthetic DNA.

This capability has significant implications. "The cyber-physical nature of biotechnology raises unprecedented security concerns," write coauthors Jean Peccoud, Jenna E. Gallegos, Randall Murch, Wallace G. Buchholz, and Sanjay Raman in their research paper Cyberbiosecurity: From Naive Trust to Risk Awareness. "Computers can be compromised by encoding malware in DNA sequences, and biological threats can be synthesized using publicly available data."

The paper's introduction continues: "Trust within the biotechnology community creates vulnerabilities at the interface between cyberspace and biology. Awareness is a prerequisite to managing these risks."

SEE: Intrusion detection policy (Tech Pro Research)

What is cyberbiosecurity?

Cyberbiosecurity is a relatively new field that melds biosecurity with cybersecurity. The Colorado State University (CSU) post What is cyberbiosecurity? suggests since computers are vulnerable, bad actors could compromise computing equipment with the intent to stall the production of critical drugs, similar to what happened with Stuxnet.

From the CSU post:

"Facilities that manufacture biologic drugs like vaccines are a critical part of the nation's biodefense infrastructure. ... If every computer system is theoretically vulnerable to cyberattacks, it is important to understand how these vulnerabilities might impact the safety, delays, and production of biomanufacturing processes. In particular, it is critical to ensure the integrity of the flow of physical material and the flow of data associated with biomanufacturing processes."

Another possibility is that compromising computers or smart equipment used in biomanufacturing could afford bad actors access to information—for example, digital representations of genes—that could conceivably be used to create biologic weapons since environmental samples are no longer necessary. Peccoud and Gallegos write in this Conversation article that, "With the help of computers, editing and writing DNA sequences are almost as easy as manipulating text documents. And it can be done with malicious intent."

Case in point, the Centers for Disease Control used published DNA sequences as a blueprint to reconstruct the virus responsible for the Spanish flu, one of the deadliest pandemics of all time.

These concerns are serious enough for the US government to get involved—in particular, FBI agents from the Weapons of Mass Destruction Directorate, who, together with the five coauthors of the research paper about cyberbiosecurity, participated in a US Department of Defense funded project that assessed the security of the biotechnology infrastructure.

SEE: Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse (free PDF) (TechRepublic cover story)

How can we improve cyberbiosecurity?

Peccoud, Gallegos, Murch, Buchholz, and Raman are confident cyberbiosecurity can be markedly improved by employing the following these steps.

Training: Just as employee training is vital for cybersecurity and biosafety, training programs to make employees aware of cyberbiological risks should be developed. The coauthors add, "Cyberbiosecurity awareness extends to an array of vulnerabilities that exist within the cyber, cyber-physical, and infrastructure dimensions, and at the interfaces with the biological process and supply-chain components."

Systematic analysis: Organizations need to perform routine analyses of their exposure to cyberbiosecurity risks not covered by existing biosafety and biosecurity policies. "A broad range of scenarios should be considered at this stage, irrespective of their likelihood and impact," state the authors. "After the risks have been identified, it is possible to prioritize them by evaluating their potential impact and probability of occurrence."

New policies: Creating policies such as the federal guidelines on synthetic DNA would help prevent and/or detect compromising incidents. "There is also currently no simple, affordable way to confirm DNA samples by whole genome sequencing," add Peccoud and Gallegos. "Simplified protocols and user-friendly software could be developed, so that screening by sequencing becomes routine."

SEE: World's first hack using DNA? Malware in genetic code could wreck police CSI work (ZDNet)

Why is it important to address cyberbiosecurity now?

Security, historically, has always played catch-up, and that is no different for the life sciences. "The life sciences community has traditionally operated under an insecure system that expects participants to self-regulate and often does not monitor for security threats," explain Peccoud, Gallegos, Murch, Buchholz, and Raman. "Now that DNA sequencing, synthesis, manipulation, and storage are increasingly digitized, there are more ways than ever for nefarious agents both inside and outside of the community to compromise security."

Peccoud and Gallegos end their column on a somber note, saying:

"The ability to manipulate DNA was once the privilege of the select few and very limited in scope and application. Today, life scientists rely on a global supply chain and a network of computers that manipulate DNA in unprecedented ways. The time to start thinking about the security of the digital/DNA interface is now, not after a new Stuxnet-like cyberbiosecurity breach."

Also see

dna-istock-521491736.jpg
Image: farakos, Getty Images/iStockphoto

About Michael Kassner

Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks

Free Newsletters, In your Inbox