Cyber-Biosecurity: Are we ready?

Amalgamation of biotechnological and information technology advancement in 21st century has altered our world at the fundamental level which is evident in the area of health, manufacturing, and food security. Humankind has also witnessed malicious bugs like Y2K and Wannacry in biological and cyber field respectively. We have reached new landmarks on our understanding of how biological systems work and also discovered ways to meaningfully manipulate these systems as per our advantage/ requirement. Biotech tools, such as gene drives, can deliberately engineer inheritable genetic traits into wild populations, offering a powerful new way to escape from certain vector-borne diseases. Gene editing tools such as CRISPR-CAS9 (Clustered Regularly Interspaced Short Palindromic Repeats associated protein-9 nuclease) are being used globally for quick and precise gene editing. Researchers like to use computers to analyze DNA, operate lab machines and store genetic information. In the health sector, the digitization of biology & metabolic engineering accelerated the development of new vaccines, drugs and painkillers. Agriculture is becoming smarter/digitized, with farmers relying on datadriven decision acquired through sensors planted in the ground, satellites guiding tractor movements and other new practices. But these emerging capabilities come with a whole new category of vulnerabilities and risks.

Our life sciences community has been traditionally evolved to operate under an insecure system that expects participants to self-regulate with often no monitoring for security threats. Now that DNA sequencing, synthesis, manipulation, and storage are increasingly digitized, there are more ways than ever for immoral agents both inside and outside of the community to compromise security.

Recently Jean and coworkers (2018) highlighted the risks of using gene sequencing technologies to corrupt the databases by altering sequences or annotations. In this article, computer scientists designed a DNA sample that when sequenced, resulted in a data file which enabled the hacker to control the sequencing computer remotely and gave access to the hacker to make changes in DNA sequences. These alterations could delay a research program causing capital, labor loss or can be used in act of terrorism for uncontrolled production of toxins or infectious agents. To mitigate these risks, the culture of the life sciences community needs to shift from trusting blindly to a highly aware and trained community. This also requires intricate relationships between the computational and experimental dimensions of product development workflows.

The diverse nature of pathogens and toxins with their potential to be used as biowarfare agent (BW) could be attributed to multiple factors. These include infectivity (the number of organisms required to cause disease), virulence (the severity of the disease caused), transmissibility (ease of spreading from person to person), and incubation period (the time from exposure of a biological agent to the onset of illness). All these attributes are manageable by modern biotechnology and information related to such experimentation trials is key to any covert attack using these for BW. Similarly, in cyber world there is a diversity of malicious codes. These include viruses (programs that replicate in target machinery); worms (self-sustaining programs) and carriers such as trojan horse to perform a legitimate function with malicious activity. Additionally, Botnets, or networks of computers infected with malicious code, can be coordinated to perform distributed denial of service attacks. For biological weapons, delivery vehicles range from advanced aerial spray technology to contamination of food products or water, while malicious code in cyberspace can be delivered by usage portals, email, web browsers, chat clients, webenabled applications and updates. The cyber threat has expanded dramatically in recent years with a series of damage. Terrorists are using cyber capabilities over traditional methods to target 104 countries including India.

Governments and security experts have singled out the life sciences sector as being significantly vulnerable to cybercrime. In cyber security terms, innovation is fast becoming a double-edged sword for life sciences clients. Recently FireEye disclosed threat posed by two Advance Persistent Threat (APT) groups which gained access to the environment of a leading pharmaceutical company for up to three years prior to detection. They stole IP and business data from the victim, information on bio cultures, products, cost reports, and other details pertaining to the company’s operations abroad. There is nothing more important to a pharmaceutical organization than the formula for one of its new drugs.

For cyber biosecurity, employee training should be given priority. It can greatly increase an organization’s general awareness of these new risks. Similar to biosafety training, cyberbiosecurity training modules and policies should be introduced. Secondly organizations should perform thorough analysis of its exposure to cyber biosecurity risks not covered by existing biosafety and biosecurity policies. Training exercises based on this type of analysis will encourage participants to review their workflows and identify their vulnerabilities. It is high time now to evolve a policy framework to detect and prevent security threats that may compromise life sciences assets. It includes guidelines on synthetic DNA targeted companies that provide DNA synthesis services to monitor research focus and relates features. Bioinformatics softwares are still not hardened against attack. Encouragement of widespread adoption of standard software best security practices like input sanitization, the use of memory safe languages or bounds checking at buffers, and regular security audits is necessary. Patching still remains challenging as the analysis software are often located in individually managed repositories and not regularly updated. One solution is to use a centralized repository to manage updates and deliver patches, similar to the APT package manager.

These could also be signed to ensure their authenticity. In the case of file sharing, the sequencing files themselves could be signed by verified research groups before uploading them to centralized databases. This is just the glimpse of long list of strategies that need immediate deployment, continuous review and improvement with time.