Table 1.
Scope and impact of cyberbiosecurity risk.
| Area of biorisk concern | Description of dangers/consequencesa | Source | Major attack potentialb |
|---|---|---|---|
| General scope and consequences | “Trust within the biotechnology community creates vulnerabilities at the interface between cyberspace and biology.” Data, bioinformatic input tools or industrial process control systems used by a biotech facility may be “vulnerable to tampering, which could result in damage to the facility or the subversion or sabotage of its products, and subsequent harm to people, plants, animals, or the environment.” | [7,19] | C,CP |
| In spite of broad efforts to safeguard the bioeconomy in recent years, “the ‘cyber’ overlaps with biosecurity have not been realized or fleshed out.” This creates vulnerabilities at the “interfaces of comingled life and medical sciences, cyber, cyber-physical, supply chain and infrastructure systems.” | [4] | V | |
| Cyberbio concerns “include occupational hazards, damage to equipment, batch failure leading to loss of product, and theft of IP… Shortages or stock-outs of medicines… financial burden...” | [22] | V | |
| Adverse consequences include “the disabling or disruption of important systems or infrastructure leading to disruption of commercial operations or impeding good manufacturing practices....” | [8] | C,CP | |
| “Cyber-physical systems pose significant security and safety risks since their compromise can have effects on the real world; in this case, those effects could include faulty or even dangerous synthesis of biomaterials or interference with biological containment systems…corruption of environmentally or health related sensors or data could result in the misapplication of health care or environmental remediation.” | [7] | CP | |
| National and transnational | “Intellectual property and proprietary information losses associated with digitized biological information could rise to the millions or billions, eventually resulting in economic decreases and reduced international competitiveness (Heus et al., 2017).” | [11] | V |
| “Other national security concerns include loss of privacy, discrimination, data loss or theft, industrial and commercial sabotage, industrial hacking, exploitation of research to increase disease severity, targeting based on specific DNA patterns, and the production of dangerous and novel pathogens without physical samples (Bajema et al., 2018).” | ibid. | V | |
| Referring to critical infrastructure sectors: “While some may be aware of the cyberbiological risk to their sectors, they have not yet determined how best to defend against individual cyber- and biological, let alone combined cyberbiological, risks.” | ibid. | V | |
| Biopharma, biological therapies, public Health | “Biopharmaceutical companies employ cyber-physical systems across a range of functions: raw materials sourcing, cell line development and optimization, upstream and downstream process development, manufacturing, validation studies, clinical trials, supply chain management of products, post-market drug safety monitoring, and interfacing with health providers.” | [22] | CP |
| “Cyberbiosecurity breaches could directly impact patients, from compromised data privacy to disruptions in production that jeopardize global pandemic response.” | ibid. | V | |
| “The intellectual property, manufacturing processes, regulatory requirements and sophisticated cyber-physical systems involved in the production of biologic therapies may be particularly vulnerable to three major forms of cyberattacks: sabotage (deliberate and malicious acts that damage digital or physical infrastructure), corporate espionage (gaining access to sensitive information to attain advantage over an adversary), and crime/extortion (encrypting files with a ransom note asking for remuneration for their return) (Morag, 2014).” | ibid. | V | |
| Biological databases | “The more we rely on genome databases, the more likely these databases will become targets for cyber-attacks to interfere with public health and biosecurity systems by compromising their integrity, taking them hostage, or manipulating the data they contain.” | [12] | C |
| “Many web sites provide methods for users to upload data. Interestingly, there seems to be no case where the data integrity is checked during the transfer process....” | ibid. | C | |
| “Existing cyberattack methods could easily target current molecular databases… Almost all traditional cybersecurity solutions fail at data volume, velocity, and variety of this scale… verifying the validity of the data is particularly challenging and cannot be easily performed using existing methods.” | ibid. | C | |
| “Errors may also be intentionally introduced into a biological database… depending on how sequences could be submitted to the database, the adversary may be able to keep the pathogenic sequence from being detected by certain anomaly detection heuristics.” | [37] | C, U | |
| Synthetic biology | “Commercially-available customer screening solutions still require a great deal of manual review of false positive findings… Current sequence screening algorithms are computationally expensive and, given the high false positive rate, the results of sequence screening can be complicated to interpret… it is extremely difficult to express in the abstract a set of performance characteristics for a system intended to screen the universe of all possible sequences.” | [65] | G, U |
| Increased capacity for generating enormous, diverse pools of oligo-length sequences and lower-cost methods for assembling high-quality, gene-length sequences from oligo pools “create a potential vulnerability: what would be considered controlled for genelength synthesis under current regulatory and technical systems would be permitted for synthesis as an oligo pool and could be converted into a gene length sequence by assembly in a modestly equipped molecular biology laboratory.” | ibid. | G | |
| Concern for “venue shopping:” “a bad actor intent on acquiring dangerous sequences could submit an order to multiple companies in the hope of finding a company whose screening system will permit the order.” | ibid. | G | |
| “biofoundries may unwittingly produce components of high consequence biological agents solely from digital information provided by the customer.” | [5] | CP,G | |
| “While resequencing could be used to identify and correct sequence errors, it is only possible when the original source material is available.” | [37] | C,G | |
| Advanced manufacturing/evolving platforms | “The production processes and assemblies of biologics and other materials can also be distributed and carried out asynchronously at geographically different locations...” | [38] | G, U |
| “Virtual environments allow access to infrastructure within the physical world; this creates a vulnerability that would permit unauthorized remote access to an automated biological manufacturing system.” | ibid. | CP | |
| “Attackers may cause sensors to report false data or modify algorithms in control systems in ways that can jeopardize product quality, damage manufacturing equipment, and potentially induce occupational hazards.” | [22] | CP | |
| Regarding “smart labs” of the future: “adjustment of fan speeds in building ventilation systems… can lead to potential exposure of any building occupant to infectious microorganisms or their toxic products, contamination of the facility, or airborne release of pathogens to the surrounding external environment… changes to chemical concentration and/or holding time in liquid effluent decontamination systems which can result in premature discharge of infectious, toxic byproducts or genetically altered microorganisms to the municipal waste stream.” | [20] | CP | |
| “To obscure the identity and/or functional properties of the final product several biofoundries can be used, each synthesizing seemingly innocuous products representing only a portion of the final product.” | [5] | G, U | |
| Food, agriculture, water | “The health and security… of agriculture and food systems is unclear from a cyberbiosecurity perspective. We reason that vulnerable critical links and nodes exist throughout this highly complex global and national ecosystem.” | [38] | V |
| “A recent contamination event of an unauthorized GM Bacillus subtilis strain (Paracchini et al., 2017) in Europe could have been - or the same way could be - the consequence of exploiting gaps of prevailing DNA signatures.” “DNA signatures may intentionally be exploited to support the counterfeiting or even weaponization of GM organisms.” | [14] | CP,G | |
| “The identification and analysis of harmful genetic manipulations to utilize (covertly modified) plants (GMOs and non-GMOs) as an attack vector show that these concerns need to be taken seriously, raising the prospect not only of direct harm, but of the more likely effects in generating public concern, reputational harm of agricultural biotechnology companies, law-suits, and increased import bans of certain plants or their derived products.” | [39] | CP,G,U | |
| Water security exemplified via harmful algal blooms (HAB): “it is imperative to envision water security from the perspective of a cyber-physical system (CPS).” Attacks on HAB-monitoring systems include “data injection attacks, automated system hijacking attacks, node forgery attacks, and attacks on learning algorithms.” | [67] | CP |
a
For the citations within quotations, please see the citing literature for details.
b
C-cyber, CP-cyberphysical, G-gap between digital and physical description/entity/process (Section 5.2), V-various, U-unique concerns (e.g., due to ‘biologic information,’ Section 4.1; see also [39]).