Cyberbiosecurity and biosecurity challenges
Biosecurity refers to the protection, control and accountability of biological materials to prevent their unauthorized access, loss, theft, misuse, diversion or intentional release. With the increasing digitization of the life sciences comes a number of significant security concerns relating to the field of biosecurity.
The vulnerabilities inherent in networked biological data systems, including pathogen databases and other sensitive information, laboratory equipment, engineering controls and facility security, could be manipulated to endanger the health and lives of humans, animals and plants through environmental contamination or the use of biological products.
Traditional biosafety and biosecurity approaches were originally developed to deal with well-characterized biological threats such as regulated pathogens. However, they were not designed to protect against threats at the cyber-biological interface where biological information is collected, measured, monitored and converted to digital information, and where data and computer programmes can be used to manipulate a biological system. Similarly, no biosecurity or biosafety controls were designed to deal with the cyber-physical aspects of the biological sciences, whereby a physical mechanism is controlled or monitored by digitally, such as computers controlling bio-fermenters and bioreactors.
Here, we highlight just some of the areas concerning the security community at the nexus of the biological sciences and cyber technology.
Design and manufacture of novel high consequence biological agents
With the growth of synthetic biology, scientists can now use computer modelling to design and construct new DNA sequences to produce synthetic DNA, thereby bypassing the need to obtain physical biological samples. In addition, there has been a massive growth in the number of online genetic and pathogen databases containing complete genomic sequences of pathogens, including virulence factors, enabling even amateur scientists to access valuable biological information. (These databases are themselves vulnerable to cyber intrusion.)
While it may be overly simplistic to state that all one needs to create a dangerous pathogen is internet access, in 2006 a journalist was able to order a fragment of smallpox DNA in the mail and the genome sequence of such a high-risk pathogen as the smallpox virus, Variola major, can be easily accessed at NCBI by any anonymous user. In 2005, the US Centers for Disease Control used published DNA sequences to reconstruct the virus responsible for the Spanish Flu – one of the most lethal pandemics in the history.
In addition, it is now possible to order biological materials from biofoundries (commercial biological laboratories that use automated laboratory equipment to produce biological materials) by simply sending them digital information. To request synthesis services, all that is required is to upload the required biological data on a biofoundry’s website (such as DNA and amino acid sequences). To avoid detection when ordering a dangerous biological substance, a bad actor could simply spread their requests through several biofoundaries, each with just a portion of the final product.
What this essentially boils down to, is the ability to obtain a dangerous pathogen’s sequence online or to design a new/modified one, and then order it over the internet via private commercial companies direct to your door.
It is also potentially possible to circumvent existing biosecurity controls on accessing dangerous pathogens. For example, the US’s Federal Select Agent Program (FSAP) requires stringent requirements to access certain high-consequence biological agents, known as Biological Select Agents and Toxins (BSAT). These include background checks, close oversight and institutional registration. The list of 67 biological select agents and toxins are based on traditional taxonomic classifications, and cannot include biological agents that are entirely new to nature or fit within the taxonomic classification system. International biological substances export and transfer controls are also vulnerable to this gap, such as the Australia Group (https://australiagroup.net/en/), whose export control list is also taxonomic based.
Security threats to biofacilities and databases
Digital information, including malware, can now be stored and transmitted through DNA. In 2010, the J. Craig Venter Institute announced the synthesis of an entirely new self-replicating organism, not assembled from other natural bacteria and into which they had encoded a series of four ‘watermarks’ containing encoded links and messages. This has opened the possibility that DNA could be used to deliver malware to attack biological databases and facilities. In such a case, DNA could be used to deliver the malware that is unlocked when the DNA sequences are translated into digital viruses by a sequencing computer. In 2017 at the USENIX security symposium, a group of researchers from the University of Washington presented evidence of their ability to encode malware into DNA via a proof-of-concept research project. When the malware-containing DNA was assembled by a gene sequencer, the machine’s sequencing software became corrupted. This compromised the computer that controlled the sequencer.
Such a scenario would be the biological equivalent of the Stuxnet attacks against the Iranian Natanz nuclear enrichment laboratory. The Stuxnet computer virus disrupted the systems responsible for controlling the automation of electromechanical processes such as those used to control machinery and industrial processes, including gas centrifuges for separating nuclear material.
It is worth noting the case of the 2018 cyber attacks against Switzerland’s Federal Institute for Nuclear, Chemical and Biological Protection in Spiez. The Spiez laboratory was involved in testing samples related to a chemical attack on UK soil of a former-Russian spy, Sergei Skripal, and his daughter, as well as samples from Syria concerning the use of chemical weapons. Hackers, believed to be from a group known as Sandworm that has links to Russia’s GRU military intelligence agency, created a fake email address to mimic the Spiez lab ahead of a conference for chemical and biological warfare experts. The perpetrators then sent a Word document to conference participants with embedded with malware.
Biological databases are also vulnerable to cyber intrusion that could remotely corrupt data, such as by altering sequences or annotation. These alterations could delay a research programme causing financial and labour losses, or could even be used to cause the production of toxins or other dangerous biological agents within biological facilities. Access to networked laboratory equipment such as freezers, refrigerators and incubators can result in destruction of valuable reagents and microorganisms in long term storage, in use as working stocks, or in active research or experimental use.
Additional potential risks include the ability to tamper with electronic orders or interception of shipments which could result in the injection of nefarious products that compromise the operation of a facility. It might not even been initially obvious that tampering has occurred given that computer-controlled processes are vulnerable to discrepancies between the physical parameters of the process and the data reported to the operator. Cyber intrusions that result in alteration of digital genomic or protein sequences could also undermine microbial forensics efforts and adversely affects a government’s ability to distinguish between naturally occurring and deliberate or accidental disease outbreaks, as well as assign responsibility to malicious actors.
Beyond the possibility of altering or disrupting laboratory processes within a facility, no less concerning is the type of facility information held at laboratories that could be stolen or compromised in order to access the facility. These include facility maps, floorplans and schematics that reveal the location of pathogen storage; emergency procedures; security protocols and controls including identification of the location of video surveillance and intrusion detection devices; access to pathogen inventories; information on facility management systems, and other critical infrastructure information including directional airflow and pressure differentials within laboratories; and, personal details of personnel. To a knowledgeable adversary, every point of information can reveal significant vulnerabilities of the organization.
Cyber penetration of networked lab equipment and facility controls provides access to the organization’s sensitive scientific and business data as well as intellectual property. Aside from denial of service and malware introduction, cyberbiosecurity intrusions and exfiltration of data can result in a cascade of catastrophic reputational and financial outcomes that can challenge the viability of an organization.
The above discussion outline some of the main concerns currently causing worry among the biosecurity community. However, with the pace of developments in the biological sciences and biotechnology, as well as in the cyber domain, it is likely that new threats will continue to emerge.
© Biosecure Ltd