Technology and research lead to advances in medical treatments, improve agricultural yields, enhance food security, and protect against biological threats. Genetic engineering can lead to breakthroughs in treating diseases, and artificial intelligence (AI) can help in predicting outbreaks.
Technology and research can also be misused to develop biological weapons, conduct bioterrorism, or perpetrate bio-hacking attacks. Genetic editing tools can be used to create harmful pathogens. Cyber attacks are employed to steal sensitive genetic data and sabotage bioinformatics systems.
The convergence of biotechnology with other technologies like AI, robotics, and nanotechnology adds layers of complexity to the cybersecurity challenges. Each technological domain brings its own set of cyber risks, and their convergence amplifies the potential for both innovative benefits and risks of misuse.
According to regulation (EU) 2021/821 (for the control of exports, brokering, technical assistance, transit and transfer of dual-use items), dual-use items are items, including software and technology, which can be used for both civil and military purposes, and includes items which can be used for the design, development, production or use of nuclear, chemical or biological weapons or their means of delivery, including all items which can be used for both non-explosive uses and assisting in any way in the manufacture of nuclear weapons or other nuclear explosive devices.
According to the regulation, various categories of persons are involved in dual-use items, including natural persons such as service providers, researchers, consultants and persons transmitting dual-use items electronically. It is essential that all such persons are aware of the risks, and the modus operandi of threat actors.
In particular, academic and research institutions face distinct challenges due to, inter alia, their general commitment to the free exchange of ideas and scientific developments. Persons working in these areas sometimes believe that knowledge is liberating, and should be free and the property of all humanity. But when knowledge is also a weapon in hybrid war, we must remember what Sun Tzu had said: The supreme art of war is to subdue the enemy without fighting.
Who else is involved? State-sponsored groups, foreign intelligence agencies, the organized crime, and other cyber actors exploiting vulnerabilities at the intersection between biological activities and information security. The human element is almost always the weakest link in cybersecurity.
According to the Global guidance framework for the responsible use of the life sciences, from the World Health Organisation (WHO), there is a growing recognition that the ways in which biosafety, biosecurity and dual-use research have traditionally been defined in the context of life sciences research needs to be updated.
The traditional focus of laboratory biosecurity was on preventing unauthorized personnel from gaining access to biological agents in a laboratory. However, biosecurity increasingly includes measures to address insider threats. The new focus must include places not traditionally thought of as a laboratory, including hospitals, biomedical research institutions, genomic databases, biotechnology companies and facilities that manufacture medical countermeasures.
According to the WHO, new risks extend beyond pathogens and biology. For example, new developments in neurosciences could potentially be misused (e.g. to enhance or diminish human performance). Advances in nanotechnology and its applications in the life sciences have led to the development of nanocarriers that can improve the efficacy of drugs, but there are concerns that nanoparticles could be misused (e.g. being delivered as aerosols that could traverse the blood–brain barrier).
In addition, risks extend beyond human diseases to include potential harm to plants, animals and the environment.
There is a need to consider the dual-use potential of technology such as AI and its role in cyberwarfare and information warfare . The scope of governance needs to be broadened to areas where life sciences intersect and overlap with other scientific disciplines.
Cybersecurity of Genomic Data
According to the National Institute of Standards and Technology, genomic data are generated from studying the structure and function of an organism's genome, which consists of genes and other elements that control the activity of genes. Examples of genomic data can include information on deoxyribonucleic acid (DNA) sequences, variants, and gene activity.
The world has entered an era of accelerated biological innovation built primarily upon the many uses of genomic data that include vaccine development and manufacturing, pharmaceutical development and manufacturing, disease diagnosis, and agricultural innovations that enable increased food production, biofuel development, basic and translational scientific research, consumer testing, genealogy, and law enforcement, among others. More uses continue to be discovered.
Genetic sequencing technology has advanced such that sequencing entire genomes is feasible and affordable. Whole or partial genome sequences for many microbial, plant, and animal species reside in open access, controlled access, or private databases within the National Institutes of Health (NIH), Federal Bureau of Investigation (FBI), and direct-to-consumer (DTC) genetic testing providers, to name a few.
As this era unfolds, there is a new awareness of risks to U.S. national security, its economy, its biotechnology industry, and its citizens due to cybersecurity attacks targeting genomic data.
Cyber attacks targeted at genomic data include attacks against the confidentiality of the data, its integrity, and its availability.
Cyber attacks against the confidentiality of the data can threaten our economy through theft of the intellectual property owned by the U.S. biotechnology industry, allowing competitors to gain an unfair economic advantage by accessing U.S. held genomic data.
Attacks against the integrity of the data can disrupt biopharmaceutical output, agricultural food production, and bio-manufacturing activity.
Attacks against the availability of the data include encrypting for ransom, deletion of data, and disabling critical automated equipment used in research, development, and manufacturing.
The potential harms of cyber attacks on genomic data threaten our national security as well, including enabling development of biological weapons and surveillance, oppression, and extortion of our citizens, military, and intelligence personnel based on their genomic data.
Cyber attacks targeted at genomic data can also harm individuals by enabling intimidation for financial gain, discrimination based on disease risk, and privacy loss from revealing hidden consanguinity or phenotypes including health, emotional stability, mental capacity, appearance, and physical abilities.
In addition to the privacy risks that can arise because of a cyber attack, privacy risks unrelated to cybersecurity can arise when processing genomic data. These risks can arise when there is insufficient predictability, manageability, and disassociability in the genomic data processing.
Insufficient predictability in data processing can result in privacy problems if individuals are not aware of what is happening with their genomic data.
Insufficient manageability in data processing can arise when the capabilities are not in place to allow for appropriately granular administration of genomic data. For example, individuals may need to be able to have some or all their genomic data deleted from a dataset.
Permitting access to raw genomic data, instead of using appropriate privacy-enhancing technologies to extract only the necessary insights (without revealing the raw data), introduces privacy risks from insufficient disassociability in data processing. Each of these areas of privacy risks can disrupt the ability to realize the benefits of processing genomic data.
The U.S. research community, government, and private industry require genomic data sharing to advance scientific and medical research and to maintain the country’s competitive advantage in biotechnology. The transfer and sharing of genomic data are essential for understanding human health, improving wellbeing, and accelerating scientific inquiry and advancements.
The genomic data transferred and shared represent tens of millions of individuals who provide their information. In aggregate across all types of measurements, these data are processed by thousands of entities (e.g., domestic, international, nonprofit, for-profit) that store, access, manage, and use genomic and health-related data. These data sharing activities need adequate technological and policy controls that allow research and enable commerce, as well as respect the informed consent and privacy of the data subjects who expect protections from reidentification.
Loss of control of genomic data can cause risks to privacy, personal security, and national security, as adversaries can use genomic data for nefarious reasons. Genomic database breaches or other losses of data may result in thefts of intellectual property and put the U.S. at a competitive disadvantage in biotechnology.
Security threats may arise through the creation of bioweapons or compromised identities of national security agents. Cyber attacks have occurred on genomic databases, commercial entities storing genomic data, DNA sequencing instruments, and genomic software tools. Other attack scenarios and exploits include targeting hardware, firmware, software, the local network, cloud infrastructure, and physical security.
Existing cybersecurity and privacy risk management practices must be tailored to effectively address cyberbiosecurity challenges. We must close the gaps that persist in legislation, and international cooperation. Understanding the risks and challenges, not only the opportunities, is the first important step.