Introduction
Due to the colossal growth in the tech industry in the past couple of decades, cyberattack is a commonly used phrase in the contemporary world. People with minimalistic & rudimentary understanding of the World Wide Web with access to some sort of gadget have familiarity with that phrase. But ‘bio-cyberattack’ hardly finds a mention even in the columns of the top bioscience journals. Some recent discoveries imply that the scientific community is no longer ignorant about this vicious threat & a thin portion of them has even started acting upon it.
Artificial synthesis of DNA used to be fictitious in the twentieth century. But the advent of modern technology has revolutionized block-by-block construction of the tall tower, called nucleic acids. What facilities are necessary to make DNA in the lab? A couple of expensive equipment & capability of operating software on computers. The artificial gene synthesis industry has proliferated within the last 2 decades, thanks to the fourth industrial revolution. Alike any other thriving industry, this million-dollar business also experiences vulnerabilities of data temperament & breaches. Any such event would not only create chaos in the scientific community but also may doom the future of human civilization.
Scientific research isn’t the cup of tea of a thick proportion of the population. What’s the big deal with gene manufacturing? How does a cyberattack pose a threat to the entire humanity? How cybercriminals may benefit from data manipulation? Is bio-cyberattack a hoax? All these questions may pop into anyone’s mind who has read the above pair of paragraphs with randomly distributed information about the matter. Let me start with the question of what ‘bio-cyberattack’ actually is.
What is Bio-cyberattack
The analogy of cyberattack is too close to it. So, dissecting the phrase in terms of a correlation with that would make sense. According to Wikipedia, a cyberattack is an attempt to expose, steal, manipulate, destroy, or unauthorized access to data of a remote computer & related network without the knowledge of its legal owner. Since most of the scientific endeavors nowadays heavily rely on computing & the use of computer equipment, cyberattacks turn out to be an emerging threat to the scientific community as well.
The broader definition of the phrase ‘bio-cyberattack’ can be deciphered like this. It’s an effort towards accessing virtual networks & systems used by biologists to collect, manage, & create data relevant to biological science. This type of cyber-attack rarely intends to siphon off money from a wealthy person or organization but aims to manipulate or steal crucial scientific data. The creation of bioweapons, like a deadly virus or a toxic protein, is one goal that can be accomplished by people with rogue mentality if they’ve got relevant coding expertise & a deeper understanding of biological science.
Technology eases any such kind of endeavor in any branch of science it percolates into & its double-edged sword nature leaves scope for every possibility of its application for distressing humankind. Since the DNA manufacturing industry heavily relies on technology & as the industry keeps swelling by its size, wrong-doers keep turning their evil eyes on it for non-monetary gains.
Artificial DNA synthesis in the lab
DNA is made up of millions or billions of base pairs (bp) & an essential component of the majority of the living cells. A sequence of bp determines the functions & characteristics of the DNA and in a broader perspective, the cells that harbor those DNAs. To understand the functions of a DNA string, decoding & modification of its bp sequence are important steps.
In the last century, when accessibility towards any fast-paced technical tool was far-fetched, the procurement of desired DNA strings required painstaking cloning of cells & following up extraction of its nucleic acid component. The splicing technique then aided in chopping base pairs off for sequencing studies.
With the shower of technical blessings, the process is no longer that much tedious & troublesome. Several companies, cashing in on patented technologies, have developed methods of synthesizing DNA in their private labs. Only typing initials of bp (like A for Adenosine, G for Guanosine, etc.) on a computer screen is all that researchers need to do to create a customized DNA. Once such a code is typed, researchers may send that sequence to those companies for ‘printing’ of the desired DNA snippet or the entire DNA.
The synthesis process continues with the addition of one base at a time & over a considerable period, a long string gets constructed within sophisticated robotic equipment. Once printed, the artificial DNA package is delivered to the customer. Such manufacturing strategy requires way less time compared to manual techniques & enjoys extraordinary cost-efficiency.
Screening requirements & security loopholes
The entire process turns out to be simple & smooth, right? But any thriving industry must have a couple of intricate secrets hidden that holds information about their potential vulnerabilities. A couple of things needs special attention when it comes to the manufacturing of ordered sequences. Whenever a company receives an order with a DNA code, the company is responsible to scan the hypothetical string & search in the database of pathogenic sequences. This search ensures that the company doesn’t manufacture any piece of nucleic acid that may turn out to be dangerous when integrated into a cell. But a handful of problems present serious challenges in this screening methods.
Firstly, long DNA code searching in the database requires expensive software & prolonged runtime on computers. That automatically costs more physical as well as temporal resources of the company. Let me give you an example of what I mean. Say, Kate, an expert biologist, creates a sequence on her computer: AGCTGTCTAGTGATCTAGCTAGCTCGATCGAGCTAG… a 100k bp DNA code. She then sends the sequence to Leonard, owner of a gene manufacturing company. Leonard searches this entire code in the database of problematic sequences & the entire string is correlated with the hazardous strings of the database. If the sequence turns out an exact match with a perilous toxic or pathogenic sequence, then Leonard’s computer raises a red flag. He may decline the order stating the reason directly or may do a background check of his customer or reach out to Kate to learn more about her research project.
Secondly, smaller snippets also don’t aid in the process either. These small codes find easier matches within long sequences in the database & often return false-positive results. That means those small pieces deliver more conflicts compared to larger ones. Say, Kate creates a smaller code snippet, a 1k bp sequence & places an order with Leonard’s company. Leonard would search the snippet code in the database. Since it’s much smaller in length, 100 problematic long DNA sequences may contain that code within themselves. That result requires human intervention & an expert in the field would have to manually wade through every conflicting sequence to decipher if the ordered code has any pathogenic origin in reality. Such random matches are examples of false-positive results.
Thirdly, when any snippet code is searched, a considerable number of false-positive results often appear since the present screening technology mostly counts ‘close matches’ with code available in the database. Say, a 10k bp DNA sequence is being screened. After completion of runtime, 20 close-matches may appear amongst which any exact match may remain absent. To ascertain, the company would have to manually scan through to check if the ordered sequence is safe to print.
These problems add up & as consequence, a plethora of small enterprises skip scanning ordered codes. In 2006, UK-based news & media company The Guardian conducted a trial to bring this problem under the limelight. Their journalist team placed an order of a nucleic acid sequence that originally belonged to the RNA of the smallpox virus. The company printed the string without any scan or background check. The team received their package with the requisite product without receiving any prior inquiry from the company. Then, The Guardian published a report highlighting the screening negligence at the companies end.
Screening of requisite codes is an essential part of biosafety protocol & must be complied with by every company operating in the industry. Although industry leaders hardly disregard norms, the tradition is much prominent in companies with smaller size. Several researchers have opined a scope for passive incentivization for making companies compliant with the state-of-art guidelines.
In the US, the majority of genomic projects are funded by the government. So, the government may introduce allocation of contingency funds that would be provided to labs that keep purchasing synthesized molecules from compliant enterprises. In that case, research labs would be in touch with those enterprises that run scans & soon recalcitrant ones will start adhering to screening guidelines to retain or get more labs on board.
Lately, the US government has exhibited persuasion towards the development of better screening techniques. In 2016, US IARPA has launched several projects that aim to develop algorithms based on machine learning & artificial intelligence for making the scans faster. Such technically advanced tools would aid in finding exact-matches with ease & within a much shorter time frame.
Chances of bio-cyber hacking
All those screening tactics are indispensable when it comes to protecting labs against any kind of cyber hacking. By tampering with virtual data exchanges, deadly pathogenic genes or detrimental toxins (broadly termed as ‘bioweapons’ as earlier mentioned) can be fabricated by cybercriminals. A couple of open-ended loops may fetch golden opportunities to people with vested interests.
Firstly, databases ain’t encrypted well. Those public databases are easily accessible by most of the companies & labs. Cyber offenders can conveniently access those poorly secure databases & may take note of dangerous codes that may ease bioweapon creation. To solve this problem, biologists and cryptographers would have to work in tandem to encrypt all these databases and assure excess is given to the companies and lab.
Secondly, networking systems used in labs lack high-end encryption as well. A recent study highlights the possibility of ‘DNA obfuscation’. The phrase stems from ‘code obfuscation‘ which is a familiar method to programmers. Let me give you an example in terms of code.
When an application is developed, programmers put in hours of effort to write complex codes. But if any 3rd party gets to access the app’s code, they may reverse engineer to understand the script. For sake of prevention of such activity, programmers ‘obfuscate’ the code that was used for the app development so that any 3rd party fails to interpret & read the code. Programmers add dummy codes within the main thread (termed ‘obfuscation’), like casual jibber-jabber within a serious conversation, to deter effortless reverse engineering of that coded script.
Cybercriminals may infect a biology lab’s system with malware that gives them unauthorized access to it, the study claims. Then, they introduce malicious programs & those programs may further customize already scripted sequences. To hide the manipulation, the malware can obfuscate the DNA sequence while sending it to a company for printing. Once printed, the company delivers the synthesized product without any clue of the manipulation. If the lab biologist wishes to cross-check the sequence that was delivered, the same malware deobfuscates the sequence & makes it appear to the biologist in its original untampered form. To keep such malware at bay, all virtual networks of biology labs would need end-to-end encryption & powerful antivirus software.
That’s how hackers can create a deadly bioweapon without even showing up in the lab. Say, one such rogue biologist from country ‘A’ may, with the help of expert programmers, become able to create a highly transmissive deadly viral RNA in a lab that’s based in country ‘B’. If the lab gets contaminated with the virus without their conscious understanding, the virus may act as a weapon to infect a huge share of the populace of that country.
Lack of law enforcement
The gene manufacturing industry is in its early stage & law enforcement authorities are yet to focus on possible offensive activities that may wreak havoc in the industry. The US has introduced standard guidelines to be followed but hardly any other country has promulgated any such kind of act keeping bio-cyber safety as a priority.
A pair of industry-leading groups, like IASB & IGSC, have framed a set of guidelines that mandates recording of suspicious requests & screening of small coding snippets containing as low as 200 bp. But without any legislative law enforcements, companies outside of the US may silently skip complying with the guidelines communicated.
But always laws, acts, policies ain’t enough. Companies & labs should understand the consequence of any bioweapon’s birth in a lab. Those invisible micro killers may stop the beat of a thousand or even million hearts indiscriminately & turn the planet into a large crematorium. The possibility may sound radical but if the initial months of the current pandemic are recalled, we’ll observe the intense fear that we kept lulling in our minds. COVID-19 was compared with the Spanish Flu that took the lives of almost 100 million people a century ago.
Conclusion
Biological research is moving at a faster pace equipped with advanced technological tools. Noting instances of abuses of technology, legislators, company executives, & scientists should keep their eyes open to all such seemingly imaginary possibilities. Rules should be framed, better tools ought to be developed, & reasonable humanitarian causes must be understood. Bio-cyberattack hasn’t happened yet & hope we’ll remain cautious before any such devilish act takes place.
Sumon Writes 