In a letter to Nature Biotechnology, cyber-researchers at Ben-Gurion University (Israel) have expressed their concern with the seemingly “easy” way biologists can be tricked into producing dangerous toxins in their labs through the use of malware.
The researchers say a weakness in the U.S. Department of Health and Human Services (HHS) guidance for DNA providers allows screening protocols to be circumvented using a generic obfuscation procedure, which makes it difficult for the screening software to detect toxin-producing DNA.
"To regulate both intentional and unintentional generation of dangerous substances, most synthetic gene providers screen DNA orders, which is currently the most effective line of defense against such attacks," says Rami Puzis, head of the Ben-Gurion University Complex Networks Analysis Lab. “However, outside the state, bioterrorists can buy dangerous DNA from companies that do not screen the orders. Unfortunately, the screening guidelines have not been adapted to reflect recent developments in synthetic biology and cyberwarfare."
In these cases, terrorists do not need to buy or make a dangerous agent—they can merely use malware to replace a short sub-string of DNA on a bioengineer's computer, forcing the scientist to become an unwitting participant in a potential bioterrorist attack.
While it may seem far-fetched, the researchers set forth both a scenario and proof-of-concept experiment to express their concerns. In their article, the hypothetical Eve is a cyber-criminal who is targeting Alice, an academic researcher. Alice orders sequences from Bob’s DNA synthetic company, which, like many others, does not protect the electronic integrity of Alice’s submitted sequence orders.
Once Eve is able to easily infect Alice’s computer with malware, she can replace all or part of Alice’s order with a malicious sequence. Employing DNA obfuscation, Eve’s hijacked order is camouflaged, ensuring screening methods will fail to raise a red flag.
Then, if Alice or a client proceeds to insert the plasmid containing the obfuscated agent into Cas9-expressing cells, the DNA will allow the expression of the gene encoding a noxious agent.
For the Israeli researchers, the next step was putting their hypothetical to the test in a proof-of-concept experiment. They used malware to hijack a researcher’s DNA sequence and, as expected, the obfuscated toxic DNA was not detected by screening software, even receiving the green light for production. The researchers immediately canceled the order and notified the International Gene Synthesis Consortium of the threat.
“Although simpler attacks that may harm biological experiments exist, we've chosen to demonstrate a scenario that makes use of multiple weaknesses at three levels of the bioengineering workflow: software, biosecurity screening and biological protocols. This scenario highlights the opportunities for applying cybersecurity know-how in new contexts, such as biosecurity and gene coding,” said Puzis.
To that point, Puzis and his team suggest the following potential mitigation methods:
- Upgrade DNA synthesizers with cybersecurity protocols, such as electronic signatures and intrusion detection approaches
- Current 200-base pairs screening should be reduced to the length of the shortest homology-directed repair template required for deobfuscation
- Data should be shared in a privacy-preserving manner to enable detection of malicious orders distributed across multiple synthesizers
- Enhanced protocols should be implemented by legislation and regulation
“Cyber dangers are spilling over to the physical space, blurring the separation between the digital world and the real world, especially with increasing levels of automation in the biological lab. Best practices and standards must be woven into operational biological protocols to combat these threats,” the authors conclude.