Cyberbiosecurity – new attacks and an urgent call for action

The cyber-physical/biological nature of the life-science fields makes the public susceptible to numerous malicious attacks

Sep 29, 2024

During the last couple of weeks, I have been writing a critique on a recent article published in Science. It turned into something more complex, and I have not decided yet how to proceed – contact the authors (as an independent researcher, I usually never get any response), try to reach out to the funder (the John Templeton Foundation), post it as a preprint, or write an open letter.... While this kept me busy, I came across something else I find particularly worrying which prompted me to write this short post.

Long under-appreciated: risks and threats throughout the bioscience fields facilitated by computerized technology, the Internet, and automation

I was among the first to warn that computers, online communication, and the digitization of biology could lead to a vast array of problems throughout the bioscience fields and also be deliberately misused.

It’s been over a decade that I have been researching under-appreciated risk potentials. A huge part of my 2nd PhD dissertation, completed in 2014, was devoted to it. My task had been to develop a method for the identification of genetically modified plants or other GMOs out in the open environment. I needed to come up with some means to identify “what” the crops or organisms were. Specifically, I was tasked to determine who owned these organisms, what they actually were, and if they were authentic. To determine this, you need some computerized equipment. I quickly found out that this computer overlap creates enormous problems that others did not seem to be aware of.

It was particularly challenging to capture open-air situations, such as cross-pollination, when seeds were unwittingly disseminated to neighboring fields or sold on the black market, or volunteer plants and hybrid formation. Could non-GMO and organic farmers refute GMO spillovers, proving they are not theirs, or would they have to pay a fee to BigAg Techs, even though they never wanted such contaminants? On the other hand, could Monsanto et al. prove that products secretly sold somewhere, or seeds that had been re-used, really belonged to them?

I spent years working on this. Along the line, I have learned lessons that, unfortunately, I STILL feel others have not embraced. (My solution, which I regard as incomplete, has been patented as a US Patent, “METHODS FOR DATA ENCODING IN DNA AND GENETICALLY MODIFIED ORGANISM AUTHENTICATION” which was filed Sept 20, 2018, by the University of WYO - albeit without my involvement as I was no longer in Wyoming at the time. But that’s another story).

In general, there are three issues I regard as particularly concerning in this context of merging computers and biology. This, of course, is much more complex in reality, but the gist of the matter is the following.

The underlying models and algorithms cannot do justice to what’s happening in real life. They are developed by specialists in one field. These are often computer programmers who have no training and knowledge in the bioscience field. Those from the applied side typically lack expertise in the ITC setting. This creates an enormous interdisciplinary struggle and lack of comprehensive expertise – which is easily susceptible to agency and regulatory capture.
You need some form of computers, machines, AI technology, etc, to measure, manipulate, or modify some biomedical entity (which could be an engineered or lab-manipulated organism or any other biotech product/service). However, this tech-bio “interface” can never close the gap between one and the other. You are always dealing with two different entities/realities, even though they are treated as one. For example, you rely on a computer and technology to identify microorganisms. You only get information about a purported thing. Because of the “interface,” one could be swapped or replaced by another, and you may not ever know. Biological entities can also run off (i.,e., be alive!), and interact with other forces and processes in the open environment outside of a lab setting, and the temporary “identification” via a computer would be meaningless. You can use technology to come up with assertions about whichever, but this is never the same as the real (living) thing itself, or a product can evoke biological processes once released.
People are mesmerized by computer/machine outputs. Absent of being able to verify a bioengineered entity with our natural senses, it seems that a flashing red signal must indicate, for sure, that something is present! Since the pandemic, we now have ample evidence of how this can be misused.

I have published some of these difficulties here and here. The above can be maliciously exploited in many ways. My first concern was manipulated or fake GMOs. As the last few years unfolded, I became horrified, seeing numerous ways that threat actors can learn from the Covid-19 pandemic, or implicitly, how these could have explicitly been exploited to facilitate numerous pandemic atrocities. This was published as an invited book chapter here.

For years, I have been ridiculed by many for warning about the misuse potential of the digitization of biology and the reliance on computers, the Internet, and AI. When I first presented some results of my 2nd PhD dissertation, emphasizing the need to take these concerns seriously, I was told, “People are not that mean.” In turn, for years, when I unsuccessfully applied for grants, I was informed I was 20 years ahead of whatever could happen in real life.

With my first training (1st PhD) in Mathematics as well as in Cryptography and Data Security (“Habilitation”), sadly, I had seen how “mean” people can be. Clearly, not all attacks on the Internet are intended to create harm. There is a vast spectrum of reasons and motives why certain actors engage in specific behaviors, including malicious attacks.

On the other hand, from my experience, and that of others as well, people in the biomedical fields have long had a naive trust in the goodness of people and reliance on computers. Over the years, through the input of groups and organizations more powerful than me (a sole, independent researcher), global awareness of the risks of the cyber–physical nature of the entire bioscience field has finally been increasing. The merging of computers, the Internet, and biology in terms of biosafety and -security risks is now often called cyberbiosecurity.

Shocking! Practical forms of misuse at a new level

Over the years, I have witnessed a lot and have been trying to predict other things with unrecognized biorisk potential. Yet, I never imagined that bad actors would do something like the following…. I truly thought that technology-enabled misuse and attacks would have at least some limits, i.e., that those intending to harm would draw the line somewhere.

BBC just reported: 'Fake weight loss drug nearly killed me'

“A mother of two who nearly died after taking a fraudulent weight loss injection is urging others to be careful about what they buy online.”

Somehow or another, I had hoped that bad actors would stay away from faking drugs or that there would be sufficient regulation to prevent things like those.

I guess I had hoped that common actors would feel some empathy, abstain from intentionally causing physical injuries, or even killing harmless citizens. (More could be said about the entire military-industrial complex and organized crime, but that is also a story in itself).

Recent decades have shown us that online attacks are numerous and that these do cause substantial financial harm. Additionally, attackers have expanded their scope via social engineering attacks and used the Internet to defame, discredit, and censor their victims. More recently, attacks have also turned into mass psy-war operations.

Shockingly, the Internet has also been misused to deliberately cause physical harm, even via fake pharmaceuticals.

Counterfeit drugs and medical products can easily be disguised as the real thing. Tragically, the above story shows how easy it is to contain toxic or even deadly substances that could cause serious harm to the entire population.

The setup for bad actors seems perfect. This is how Michelle Sword fell into the trap.

"A lot of people are quite desperate to get these medications because they are quite difficult to access from the NHS," she said.
"So they go to other providers and some of these providers unfortunately do not provide medication that has gone through the right channels.”

It’s clear, this is pointing to an enormous potential for counterfeiting.

Urgent call for action

I can only re-iterate what Michelle Sword is urging others: Beware of counterfeit medical products sold online! And at the research level? These, and the related issues (see the figure below for examples), must be taken much more seriously – what I have been arguing for over a decade.... Internationally, many universities, groups, and organizations have picked up the topic of cyberbiosecurity.

Tragically, however, many of the new experts in cyberbiosecurity are funded by BigAg and BigTech, and many others lack any genuine multidisciplinary experience. However, just as it has been with internet security, it is a monumental task, requiring the input and collaboration of all – in an independent and unbiased manner! I am grateful to The European Union Agency for Cybersecurity (ENISA), who a few years ago, based on my input, began working on these issues. However, we need to do more, much more!

Examples of cyberbiorisks, in no particular order/arrangement. The central part of the figure taken from https://www.bbc.com/news/articles/c4g4r4251p3o

Siguna’s Substack

Discussion about this post