Israel is constantly under threats not only of terror attacks but also of cyberattacks via computers of hostile forces. Researchers at Ben-Gurion University (BGU) of the Negev in Beersheba have discovered an end-to-end cyber-biological attack – in which unwitting biologists may be tricked into generating dangerous toxins in their labs.
According to a new paper just published in the prestigious journal Nature Biotechnology under the title “Increased cyber-biosecurity for DNA synthesis,” it was believed until now that a criminal needs to have physical contact with a dangerous substance to produce and deliver it. But Rami Puzis, head of BGU’s Complex Networks Analysis Lab, a member of the Department of Software and Information Systems Engineering and Cyber@BGU writes that malware could easily replace a short sub-string of the DNA on a bioengineer’s computer so that they unintentionally create a toxin producing sequence.
“Commercial DNA synthesizers sell billions of nucleotides
to customers each year, amounting to hundreds of millions of dollars in sales… To regulate both intentional and unintentional generation of dangerous substances, most synthetic gene providers screen DNA orders that is currently the most effective line of defense against such attacks,” he continued.
“This threat is real…Most DNA synthesis providers check each requested sequence across databases of problematic sequences before order fulfillment, as per the 2010 US Health and Human Services (HHS) guidelines. Unfortunately, however, there are no comprehensive databases of pathogenic sequences, and the guidelines – unenforced outside of US National Institutes of Health (NIH) grantees — are outdated,” the BGU researcher team wrote in the paper.
California was the first state in 2020 to introduce gene-purchase regulation legislation. “However, outside the state, bioterrorists can buy dangerous DNA from companies that do not screen the orders,” Puzis added. “Unfortunately, the screening guidelines have not been adapted to reflect recent developments in synthetic biology and cyberwarfare.”
A weakness in HHS guidance for DNA providers allows screening protocols to be circumvented using a generic obfuscation (confusion) procedure that makes it difficult for the screening software to detect the toxin-producing DNA.
“Using this technique, our experiments revealed that that 16 out of 50 obfuscated DNA samples were not detected when screened according to the ‘best-match’ HHS guidelines,” Puzis explained. The researchers also found that accessibility and automation of the synthetic gene engineering workflow, combined with insufficient cybersecurity controls, allow malware to interfere with biological processes within the victim’s lab, closing the loop with the possibility of an exploit written into a DNA molecule.
The DNA injection attack demonstrates a significant new threat of malicious code altering biological processes. Although simpler attacks that may harm biological experiments exist, the researchers have chosen to demonstrate a scenario that makes use of multiple weaknesses at three levels of the bioengineering workflow – software, biosecurity screening and biological protocols. This scenario highlights the opportunities for applying cybersecurity know-how in new contexts such as biosecurity and gene coding.
“This attack scenario underscores the need to harden the synthetic DNA supply chain with protections against cyber-biological threats,” Puzis concluded. “To address these threats, we propose an improved screening algorithm that takes into account in vivo gene editing. We hope this paper sets the stage for robust, adversary resilient DNA sequence screening and cybersecurity-hardened synthetic gene production services when biosecurity screening will be enforced by local regulations worldwide.”