key: cord-1026670-0hu5twhp authors: Mueller, Siguna title: Facing the 2020 Pandemic: What does Cyberbiosecurity want us to know to safeguard the future? date: 2020-09-25 journal: Biosaf Health DOI: 10.1016/j.bsheal.2020.09.007 sha: fabbbfb1c0bb41db384a7aa37673e40346d72f2b doc_id: 1026670 cord_uid: 0hu5twhp As the entire world is under the grip of the Coronavirus diseases 2019 (COVID-19), and as many are eagerly trying to explain the origins of the virus and cause of the pandemic, it is imperative to place more attention on related potential biosafety risks. Biology and biotechnology have changed dramatically during the last ten years or so. Their reliance on digitization, automation, and their cyber-overlaps have created new vulnerabilities for unintended consequences and potentials for intended exploitation that are largely under-appreciated. Herein, I summarize and elaborate on these new cyberbiosecurity challenges, (1) in terms of comprehending the evolving threat landscape and determining new risk potentials, (2) in developing adequate safeguarding measures, their validation and implementation, and (3) specific critical dangers and consequences, many of them unique to the life-sciences. Drawing upon expertise shared by others as well as my previous work, this article aims to summarize and critically interpret the current situation of our bioeconomy. Herein, the goal is not to attribute causative aspects of past biosafety or biosecurity events, but to highlight the fact that the bioeconomy harbors unique features that have to be more critically assessed for their potential to unintentionally cause harm to human health or environment, or to be re-tasked with an intention to cause harm. I conclude with recommendations that will need to be taken into consideration to help ensure converging and emerging biorisk challenges, in order to minimize vulnerabilities to the life-science enterprise, public health, and national security. Ever since the Coronavirus diseases 2019 (COVID- 19) pandemic, (laboratory) biosafety and biosecurity concerns are even more rigorously scrutinized. This article uses the lens of the current pandemic to evaluate biological risks from biological research, particularly those that are amplified by the digitization of biological information and biotechnology automation. The cyberphysical nature of biotechnology has led to fascinating advances throughout the bioscience field. Only recently, concerns have been raised regarding new risks that may lead to unintended consequences or unrecognized potentials for misuse. Just as the emergence of the internet some decades ago led to a major revolution -which, by necessity was paralleled by the field of cybersecurity -we are now facing the era of cyber biosecurity 2 with its own security vulnerabilities. The DNA synthesis industry has worked proactively for many years to ensure that synthesis is carried out securely and safely 3 . These efforts have been complemented by the growing desire and capability to resynthesize biological material using digital resources [1, 2] . Yet, the convergence of technologies at the nexus of life and medical sciences, cyber, cyberphysical, supply chain and infrastructure systems [3] , has led to new security problems that have remained elusive to the majority of the scientific, agricultural, and health communities. It has only been during the last few years, that awareness of these new types of vulnerabilities is growing, especially related to the danger of intended manipulations. As these concerns have spawned the emergence of cyberbiosecurity as a new discipline, it is important to realize that its focus is not merely on traditional cyber-attacks (Sect. 2 and Fig. 1 below). Due to the increased reliance of the bioscience fields on cyberphysical systems (CPS, Fig. 3 below), potentials for exploitation exist at each point where bioengineered or biomanufactured processes or services interface with the cyber and the physical domain, whereby attackers may exploit unsecured networks and remotely manipulate biologic data, exploit biologic agents, or affect physical processing involving biological materials, that result (whether intentionally or unintentionally) in unwanted or dangerous biological outcomes [4, 5, 6, 7] . Great efforts have been put into place to rigorously assess the new risks and threats (see in particular [3] and the recent National Academy of Sciences, Engineering, and Medicine report "Safeguarding the Bioeconomy" [7, pp.204-211] ). Nonetheless, cyberbiosecurity is still in its infancy. There is still limited expertise to fully characterize and assess the emerging cyberbio risks [8] , and it has been recognized that generic cyber and information security measures are insufficient [8, 9, 10, 11, 12, 13, 14] . Triggered by the COVID-19 pandemic, enormous amounts of resources have been devoted to identify its exact genesis. A goal of this article is to challenge this narrow focus by concentrating on the larger context of cyberbiosecurity, to illuminate serious new concerns for a wide audience. I will highlight distinct challenges and suggest specific steps to help support risk deterrence efforts. Most broadly, cyberbiosecurity aims to identify and mitigate security risks fostered by the digitization of biology and biotechnology automation. Fig. 1 gives a summary how this new paradigm evolved. While others, including the author, began to investigate these challenges almost a decade ago [15, 16, 17, 18, 19, 13] , the term cyberbiosecurity was first (informally) used in [20] . These authors warned of security issues resulting from the cyberphysical interface of the bioeconomy, as it was recognized that all biomanufacturing processes are in fact CPS (see also Incomplete awareness. During the last few years, the biotechnology industry has fallen prey to serious attacks (see e.g. [7, Table 7 -1]), although there is no broad awareness of this. This important observation and the compelling need to question the "naive trust" throughout the life-science arena were key drivers to establish cyberbiosecurity as a new discipline [20] . Additional sobering criminal cases that have affected the bioscience field are now emerging, even during the current pandemic (e.g. [10, 23, 24, 21, 25, 26] ). As noted in [23] , these encompass three critical areas of attack -sabotage, corporate espionage, and crime/extortion. Yet, people in the life-sciences are largely ignorant of the dangers as they are barely trained in security issues -or not at all. Research and healthcare industries are vulnerable to cyberbiosecurity attacks because they have not kept up with threats [27, 8] . Capitalizing on a common misconception. Generally, it is widely accepted that cybersecurity attacks and data breaches are a matter of when, not if. Very recently, ransomware attacks have been recognized as "the primary threat" to healthcare organizations [28] . Statements like these seem to support the understanding that cyberbio concerns in the bioeconomy could be dealt with by using IT solutions alone (and possibly optimized for life-science demands). Unfortunately, the reliance on CPS generates unrecognized convergence issues. It is important to understand that due to cross-over effects, neither cyber nor physical security concepts alone are sufficient to protect a CPS. "Separate sets of vulnerabilities on the cyber and physical sides do not simply add up, they multiply" [29] . Notably, cyber-attacks on critical automated (computer-based) processes (e.g., workflow or process controls) may lead to dire real-world consequences, similar to direct physical attacks. For instance, a 2008 explosion in the highly secure 1,099-mile Baku-Tbilisi-Ceyhan pipeline was caused by computer sabotage. The main weapon for this cyberphysical act of terrorism was "a keyboard" [30, 29] . In general, the term "physical" in CPS (Fig. 3 , central box) is applied to the "engineering, physical and biological" [31] components of the system, or more generally, any components of the physical world which are connected through cyber elements. (e.g. the Hazard Analysis Control Point system for the Fd+Ag sector or, more generally, The Infrastructure Survey Tool [36] or NIST guidelines [37] ), it is recognized that fully scoping all the cyberbio risks, not to mention their relative likelihood and impact, is rather challenging [23, 22, 8] . Although some of the cyberbio vulnerabilities share compelling similarities to the early days of the internet [38] , there are critical differences [9, 10, 11, 12, 14] . While most responders to the above mentioned survey of international experts [8] agreed that their organizations had "considered" cyberbio issues, some noted "insufficient time" or "no idea" how to address them, and all pinpointed the lack of available resources. This section describes some of the difficulties. The problem of identifying what needs to be protected: -Many of the novel cyberbio risks and threats (Table 1) have not been fully scoped. They are difficult to characterize, and envisioning the complete risk landscape continues to be a challenge [39, 8, 40, 14, 23] . -Identifying and hierarchizing the extent, impact and severity of various (including, hypothetical) new vulnerabilities is difficult. -There is no comprehensive model to effectively capture, assess, and address the motivations, capabilities, and approaches of those who may cause harm (see also Sect. 4.2). • How protection is achieved and enforced: -Existing solutions from the cyber domain are only geared at specific aspects of biosecurity and cybersecurity but do not address the overlap and the issues arising from this convergence [8, 40, 14] . -Due to variations in types of threats, targets and potential impacts, it is not straightforward to determine the applicability and effectiveness of a possible solution. -As "there is no one model" to secure the use of information systems across the bioeconomy [7] , weak or premature solutions may only help address a distinct problem but be misapplied in a different context, or even become a source for exploitation (Sect. 4.2 and Fig. 4 below). J o u r n a l P r e -p r o o f standards and guidelines [11, 22, 34] are a serious issue to achieve comprehensive and international protection. Very recent publications and programs [33, 41, 7, 42, 43, 44, 45, 46, 47] ) undoubtedly have increased cyberbiosecurity awareness and large corporations will have been able to enhance their infrastructure. Yet, the 2020 pandemic has shifted R & D priorities and budget and has hampered many efforts to better comprehend the new risks and to develop solutions. Pharma and medtech professionals and companies are overwhelmed with COVID-19 mitigation and crisis resolution while the industry sprints to develop new therapeutics and vaccines. On the other hand, the pandemic has led to a huge rise in cyber-attacks, with some reporting an 800% increase compared to pre-coronavirus levels [48] . As cybersecurity professionals are struggling to target this surge in cyber-crime, WFH (work from home) has impacted the ability of many cybersecurity professionals to support new business applications or initiatives [49] . As companies and organizations struggle to maintain stability and security, new research areas such as cyberbiosecurity have received inadequate attention and support. In addition to the known cyberbio challenges described above, the context of the bioscience fields leads to distinct problems that are not well understood. The context of the life-sciences involves unique concerns and unknowns. Cyber-based attacks targeting the biological and medical sciences involve living entities, with networks of connections, combinatorial interactions and a dynamic range of outcomes. Future and timed effects can be achieved by various technologies (e.g., non-volatile memory devices and electronic circuits). Yet, with biotechnology products there is a decreased ability to control exposure [50] : They are often designed to be easily dispersed (e.g., with agricultural technologies directly in the field [51] ), reach high scalability [50] , can be delivered in different states (including water [52] ), and can be activated by simple environmental agents (temperature, light, wind [53, 54, 55] ). A critical issue with active biologicals is that they can be transferred by contact, ingestion, J o u r n a l P r e -p r o o f Journal Pre-proof or inhalation [50] . While concerns about unintended consequences and ill-intended applications of these and related technologies have been raised recently (see e.g., [50, 56, 57, 18, 33, 13, 7] ), types of biotechnologies that not merely have a cyber-overlap, but which constitute artificial systems themselves, have been even less assessed. These include artificially generated self-replicating systems [58] , artificial cells that mimic the ability of natural cells to communicate with bacteria [59], or artificially generated processes to interact with one another and initiate various signaling cascades [60] . The consequences of an ill-intended or accidental release of such systems into the environment are not understood. One of the most complex issues may be that "information" in the biological context is of a different kind than what is meant in the information sciences. Identifying "biological information" is not always straightforward and may evade available technology from time to time: consider, for instance, the situation of recessive alleles of a gene. These can be phenotypically invisible over a huge proportion of a population and known for their frequency using tools such as the Hardy Weinberg equilibrium equation; as DNA sequencing and synthesizing technologies developed over decades they could be detected and linked to individuals. While such invisibility features are of potential benefit in the area of steganography, [61] describes critical concerns that analogously apply to cyberbiosecurity. For instance, biological information can be stored and transmitted in a virtually undetectable way: "No X-ray, infra-red scanner, chemical assay or body search will provide any immediate evidence" of it [61] . Further, biological media can survive much longer than anticipated [51] , which in this context leads to the worrisome situation that data (or biologic "information") can "literally run off on its own" [61] . Notably, critical vulnerabilities also arise in the context of devices and mechanisms. Among others, the above mentioned survey [8] identified "elevated or severe risk" potentials for an unauthorized actor to (1) take control of infrastructure (e.g., lab equipment, lab control systems, or even a fully automated robot lab), (2) interrupt the functioning of lab systems, or (3) circumventing security controls. The cyber-physical nature of biotechnology is one of the key concerns in cyberbiosecurity ( Fig. 3 and Table 1 ). With increased automation, dangers arise, for example, in the context of sterilization methods used in the healthcare and laboratory setting. For some methods, a very recent study [62] demonstrates that "integrity of released DNA is not completely compromised," which is leading to the "danger of dissemination of DNA and xenogenic elements across waterways." These findings were linked to temperature and time (e.g., Journal Pre-proof short microwave exposure times or short exposure time to glutaraldehyde treatment were least effective). Parameters like these are both highly malleable and susceptible to manipulation, which will become an even bigger concern with "smart labs" of the future [21] . In the context of food and agricultural systems, cyberphysical interconnections lead to the danger of "[m]anipulation of critical automated (computer-based) processes (e.g., thermal processing time and temperature for food safety)" and "[l]ack of ability to perform vulnerability assessment" [34] . Traditionally, the reliance on tacit knowledge and direct hands-on processes and applications has shielded the bioscience field from many forms of attack. Beyond doubt, the digitization of biology and biotechnology automation are key drivers that enable the bioeconomy. Nonetheless, these are creating yet a different type of risk than described above. The Internet makes it easier to bypass our existing controls (be they personal intuitions, company procedures or even laws) [63] . We have evolved social and psychological tools over millions of years to help us deal with deception in face-to-face contexts. But when we lose both physical and human context (as in online communication), forgery and intrusion become more of a risk. It is now known that in the cyber fields "Deception, of various kinds, is now the principal mechanism used to defeat online security" [63] . Online frauds are often easier to do, and harder to stop, than similar real-world frauds. And according to [64] , "more and more crimes involve deception; as security engineering gets better, it"s easier to mislead people than to hack computers or hack through walls." While only recently recognized as one of the most important factors in security engineering [63] , the entire life-science enterprise is not adequately prepared for attacks that exploit psychology (social engineering attacks, Table 2 ). At the same time, hackers are getting better at technology: "designers learn how to forestall the easier technical attacks..." [63] . Thus, through various forms of fraud and deception, attackers may be able to circumvent many of the existing cyber-based safeguarding mechanisms and get direct access to their victim"s system. Once they have entry to a target system, this may allow them to exploit not only the data and cyber side; it could also facilitate attacks on control and processes underlying various cyber-physical applications ( Fig. 3) with consequences that directly affect biophysical components (Fig. 4) . Cyberbiosecurity is highly cross-disciplinary and will benefit from integrating existing capabilities and proven methodologies from a wide range of fields (e.g. security engineering, physical security and privacy, infrastructure resilience, and security psychology), with requirements from the life-science realm. As cyberbiosecurity may profit the most from lessons learned in the information security domains, this section focuses on this arena. Several suggestions have been made to secure specific new cyberbio challenges via various cyber applications (e.g. [66, 12, 38, 14, 21, 5, 10] ). Nonetheless, their practical realization is not always straightforward as even most basic information security notions still need to be better adapted to the bioscience framework (see e.g. [14, Table 1 ]). Similarly, it will be necessary to refine and extend the classic CIA triad (which long has been the heart of information security), to extend the suggestions made previously (e.g. [14, Fig. 3 ]), to optimally align them with the new demands. J o u r n a l P r e -p r o o f As argued (Sect. 4.1), not all of the new problems can be linked to traditional cyber issues. Thus, it will be important to distinguish which challenges could, or could not, be identified/safeguarded by existing cyber-approaches (or slight modifications thereof). To aid this distinction and develop a hierarchy of risk severity, it will be helpful to pinpoint the following. Identify challenges to assure authenticity and integrity. The cyber-based interface to measure and assess a bioengineered product or service creates a gap, potentially allowing a range of vulnerabilities, from falsifiable entries of biological databases and sequence errors [38, 12] -which in a context like pathogens could lead to entry errors with rather disturbing effects -the intentional tampering of data related to forensics [67] , cyber-enabled attacks on systems monitoring water security [68] , to the actual exchange of the purported actual (CPS produced) entity. The latter may enable the distribution of accidentally exchanged/counterfeit products such as plasmids [20] . which give rise to unique concerns where, e.g. some undeclared and "invisible" protein or nucleic acid in a suspended formulation contacts the stated product on release from the packaging or in the retail chain (see [50] ). "information" in the biological sciences [61] , the information life-cycle at large, logically-based game strategies, mechanisms for dual-use appropriation, end-to-end assessments, "routes to harm," context, and multiple exposure pathways [57, 13, 66, 40, 10, 35, 50] . Identify the possibility of future and off-target effects. These are situations where clear predictions as required for various "if-then" paradigms employed in the cyber domains are inapplicable. Deterrence measures will need to consider emerging actors and their pathways of action, including interactions between synthetic and natural entities, as well as mechanisms, vesicles and actions that can be activated by various physical and mechanical forces or combinations thereof [68, 50] . Cyberbio efforts will benefit from the CPS arena as these provide unique insights relative to "hardware" (incl. devices and systems) and "software" interdependencies. The cyber-interactions and the interconnectedness of such systems necessitate a drastic modification of previous security principles (see e.g., [29, 72] ). Analogously, for cyberbio systems and mechanisms, it will be necessary to refine a list of security principles and goals, by incorporating CPS lessons, to optimally align them with the bioscience fields. Cyberbiosecurity is an evolving paradigm that points to new gaps and risks, fostered by the cyber-overlaps of modern biotechnologies. The enormous increase in computational capabilities, artificial intelligence, automation and use of engineering principles in the bioscience field have created a realm with a glaring gap of adequate controls. Vulnerabilities exist within biomanufacturing, cyber-enabled laboratory instrumentation and patient-focused systems, "Big Data" generated from "omics" studies, and throughout the farm-to-table enterprise..." [39] . Numerous security risks in the biological sciences and attack potentials based on psychology have not been adequately assessed, let alone captured. They will require completely new approaches towards their protection to avoid emergencies at the scale of COVID-19 or more. Yet, the current situation regarding cyberbiosecurity is sobering (Fig. 5) . The private sector, small and moderate-sized companies, and the larger DIY community itself are particularly vulnerable [7, 34, 11] . Rather than spending enormous amounts of resources in looking back to identify the exact J o u r n a l P r e -p r o o f Journal Pre-proof genesis of SARS-CoV-2, cause of the pandemic, and the emphasized singularity of our current global situation, a concerted effort to better understand and mitigate the emerging cyberbio challenges faced by the entire bioeconomy sector should be a top priority. This paper summarizes existing critical issues that must be considered. It also suggests steps that can be leveraged to help assess and ensure that the many bioscience capabilities remain dependable in the face of malice, error, or mischance. The author confirms sole responsibility for the following: Conceptualization, Investigation, Methodology, Validation, Visualization, Writing -original draft, Writing-Reviewing and Editing. The author declares there is no conflict of interest. I would like to thank the reviewers who provided expertise and comments that greatly improved this paper. • The attacker was able to view personal information including email addresses and phone numbers, which are displayed to some users of Twitter"s internal support tools [73] . • These credentials can give them access to internal network tools and enable them to sabotage cyber-based controls of CPS (Figs. 3 and 4) . Exploratory fact-finding scoping study on "digital sequence information" on genetic resources for food and agriculture., report on the Exploratory Fact-Finding Scoping Study on Comments of third world network on digital sequence information Editorial: Mapping the cyberbiosecurity enterprise Cyberbiosecurity: An emerging new discipline to help safeguard the bioeconomy Cyber-biosecurity risk perceptions in the biotech sector Researchers are sounding the alarm on cyberbiosecurity National and transnational security implications of asymmetric access to and use of biological data The national security implications of cyberbiosecurity Cyberbiosecurity challenges of pathogen genome databases The digitization of biology: Understanding the new risks and implications for governance On DNA signatures, their dual-use potential for GMO counterfeiting, and a second) dissertation, Biomedical Sciences A covert authentication and security solution for GMOs A covert authentication and security solution for GMOs Point of view: A transatlantic perspective on 20 emerging issues in biological engineering The intelligent and connected bio-labs of the future Cyberbiosecurity: from naive trust to risk awareness Cyberbiosecurity implications for the laboratory of the future Building capacity for cyberbiosecurity training Cyberbiosecurity in advanced cyber safety US hospitals turn away patients as ransomware strikes Bloomberg, Hackers "without conscience" demand ransom from dozens of hospitals and labs working on coronavirus Cybersecurity in healthcare: A systematic review of modern threats and trends Institute for Critical Infrastructure Technology, The cybersecurity think tank (nd Overview of security and privacy in cyber-physical systems Mysterious 08 turkey pipeline blast opened new cyberwar era Adaptations of avian flu virus are a cause for concern Cyberbiosecurity: A new perspective on protecting U.S. food and agricultural system Cyberbiosecurity for biopharmaceutical products Defending our public biological databases as a global critical infrastructure Cyberbiosecurity: A call for cooperation in a new threat landscape Are market GM plants an unrecognized platform for bioterrorism and biocrime? The Australia Group (nd) THE NUCLEAR THREAT INITIATIVE, Biosecurity reducing biological risk and enhancing global biosecurity (nd) Vbc launches biosecurity codes section National Institutes of Health, National science advisory board for biosecurity (nd Blue ribbon study panel on biodefense (nd) Top cyber security experts report: 4,000 cyber attacks a day since covid-19 pandemic The covid-19 pandemic and its impact on cybersecurity Environmentally applied nucleic acids and proteins for purposes of engineering changes to genes and other genetic material Agricultural research, or a new bioweapon system? Plant-protecting RNAi compositions comprising plant-protecting double-stranded RNA adsorbed onto layered double hydroxide particles Systems and methods for delivering nucleic acids to a plant Methods and compositions for introducing nucleic acids into plants The next generation of insecticides: dsRNA is stable as a foliar-applied insecticide The New Alchemists: The Risks of Genetic Modification, The New Alchemists: The Risks of Genetic Modification Why gene editors like CRISPR/Cas may be a game-changer for neuroweapons Development of an artificial cell, from self-organization to computation and self-reproduction Vesicle-based artificial cells as chemical microreactors with spatially segregated reaction pathways Aims and methods of biosteganography Anticipating xenogenic pollution at the source: Impact of sterilizations on DNA release from microbial cultures Psychology and security resource page (nd) Is confidence in the monitoring of ge foods justified? Next steps for access to safe, secure DNA synthesis Identifying personal microbiomes using metagenomic codes Perspectives on harmful algal blooms (HABs) and the cyberbiosecurity of freshwater systems Genetically modified seeds and plant propagating material in europe: potential routes of entrance and current status Methods for data encoding in DNA and genetically modified organism authentication, united States Patent A reference model of information assurance & security An update on our security incident