In a paper published yesterday in Trends in Biotechnology, Colorado State University scientists urge awareness of cyberbiosecurity risks for researchers, government, and industry. They say that although biological research has entered a digital age, trust within the community has created vulnerabilities at the interface between cyberspace and biology.
"In the past, most biosecurity and biosafety policies were based on sample containment," Jean Peccoud, Abell Chair of Synthetic Biology and professor in the department of chemical and biological engineering says. "Now, it's so easy to read DNA sequences, for example, or to make DNA molecules out of sequences publicly available from bioinformatics databases. Most projects have a cyber dimension, and that introduces a new category of risk."
Peccoud and co-authors explain that security policies in the life sciences fall into two categories: biosafety and biosecurity. Biosafety procedures are designed to prevent exposure to pathogens and accidental release of biological agents. Such measures include protective clothing, sterilization procedures, and airlocks.
Biosecurity policies, however, are usually associated with travel, supply chains, or terrorist activities. Breaches of biosecurity can be accidental (a traveler bringing contaminated material from overseas) or intentional (bioterrorism).
Peccoud stresses that cyberbiosecurity risks are not always doomsday scenarios. There's a broad spectrum of risks that can start with fairly low-impact mistakes, such as mislabeled samples in a lab. Despite the risks, there is too much naive trust among partners in the supply chain. That needs to change, he says, in order to increase productivity around biological research and to limit the risk of a significant incident.
Peccoud likens this needed change to today's increasing awareness around cybersecurity, in response to high-profile hacking incidents. Today, most people have at least some sense of how to manage their own cybersecurity. The same should be true for the life sciences, he says, and a major incident shouldn't need to be the impetus for change.
The authors recommend employee training, systematic analyses to examine potential exposure to cyberbiosecurity risks, and the development of new policies for preventing and detecting security incidents.
"Once individuals in a community are aware of cyberbiosecurity risks, they can begin to implement safeguards within their own work environments, and work with regulators to develop policies to prevent cyberbiosecurity breaches."