di Massimiliano Passalacqua
Cartoons, comics and videogames was a favorite activity for many teenagers during the 80s, and the term “cyber” was strictly related to futuristic Japanese anime, American comics, manga and sci-fi movies. Almost forty years later everything is “cyber”: cyber-security, cyber-sports, cyber-law, cyber-porn, cyber-jihad; there are 400 English entries listed on Wiktionary with the prefix “cyber”. This is an ongoing process, where technology is gradually building the IoT, the Internet of Things, a demi-god entity made of billions of items and devices embedded with electronics and sensors, interconnected to each other and continuously exchanging information.
The Internet of things is the natural consequence of the extraordinary technological progress of recent years, where astonishing computing power met awesome mobile and sensor technologies at ridiculously cheap costs.
Cyberspace is turning into an intricate realm, made of digital, virtual and physical objects; in cyber-physical systems, (CPS) – even though Phygital is the new trending portmanteau – physical and software components are deeply intertwined, each operating on different spatial and temporal scales, exhibiting multiple and distinct behavioral modalities, and interacting with each other in a myriad of ways that change with context (US National Science Foundation definition).
The outcome of these systems’failures and malicious use could be catastrophic.
Here comes the security policy, a written document outlining how to protect an institution or a company from threats, including computer security threats, and how to handle situations when they do occur. A security policy must identify all company assets as well as all the potential threats to those assets. Biology and biotechnology – just like any other human activity – entered the digital age, and the frontier between biology and cyberspace is becoming increasingly unclear.
The recent use of DNA as a substrate to inject malware into a computer system is a case in point (Ney, P. et al, 2017, Computer Security, Privacy, and DNA Sequencing: Compromising Computers with Synthesized DNA, Privacy Leaks, and More). On the other side, security policies concerning these sciences have not kept the pace with change. As a computer-controlled industry, risks are present in every step of the biotechnology workflow; yet, despite this overwhelming evidence, operators involved in biotechnology supply chain do not take any precautions during their daily activities. This is partly associated with the perceived reputation of academic institutions or biotech companies.
However, as Wachinger undelined in 2013, limited exposure to cyberbiosecurity (CBS) incidents also shapes the perception of these risks. Most policies are still based on sample containment, but it is easy to read DNA sequences or to make molecules out of publicly available sequences from bioinformatics databases.
Most projects have a cyber dimension, introducing a new category of risk.
Security policies in life science fall into two categories:
-
Biosafety procedures, designed to prevent exposure to pathogens and accidental release of biological agents. Measures of this kind are represented by protective clothing, sterilization procedures, airlock devices in which dust, particles and biological agents are prevented from leaking out by maintaining the room at a lower pressure than the surroundings.
-
Biosecurity policies on the other side are usually associated with travel, supply chains, terrorist The term was first used by environmental and agricultural communities, eventually the prevention of the intentional removal of biological materials from research laboratories was included in response to the threat of biological terrorism.
Breaches can be accidental (e.g. traveler bringing contaminated material) and intentional (e.g. bioterrorism).
A key component of biotechnology risk analysis is gene synthesis, which can be used to develop biological weapons via genomic sequences of pathogens. Therefore, cyberbiosecurity aims at understanding emerging risks at the cyberspace and biology frontier, developing fitting policies. Most people have basic sense of how to manage their own cybersecurity, same should be true for life sciences.
More resilient and secure (ruling out safety as an already acquired skill) organizations and processes in life sciences can be built through:
-
Employees are trained on the bio-safety aspects, and the same should be done on the cyber-biological risks.
-
Awareness development about the different infrastructural, cyber, cyber’physical vulnerabilities, besides the supply chain and biological processes.
-
Risk analysis. Identification of exposures not covered by the existing bio-safety/security policies. Examples of CBS risks can be found in bioinformatics databases, which could be corrupted altering sequences and annotations, thus delaying a research program or resulting in the uncontrolled production of infectious agents and toxic products. Regulatory approval and research could also be postponed due to discrepancies between the physical characteristic of the product and test data. The operation of a facility could be compromised through the injection of nefarious products, either via shipment interception or electronic orders tampering. After the risks have been identified, prioritization should follow, evaluating potential impacts and probability of occurrence.
-
Policy upgrade: implementing appropriate security policies detecting and preventing incidents that could jeopardize life sciences assets.
Now that DNA sequencing, synthesis, manipulation, and storage are increasingly digitalized, there are more ways than ever for nefarious agents both inside and outside of the community to compromise security.
Once life sciences organizations and institutions implement CBS policies, a new culture of CBS awareness will start to spread out across the industry; That will be the starting point for cooperation with regulators on developing ad hoc policies, thus preventing the nefarious use of genome editing technologies.