New form of cyberattack distorts the drug development process
During the COVID-19 pandemic, there has been an understandably high level of concern around the health and life sciences sector. The early stages of the pandemic were punctured by stories of hospitals and other medical facilities being struck down by ransomware attacks as cybercriminals looked to take advantage of the general chaos of the time.
Then, as the global life sciences community whirred into action to develop a vaccine to help us emerge from the pandemic, considerable concerns were raised about the potential of industrial espionage as nations sought to infiltrate the labs of those projects that were advancing quickest. Indeed, over the summer, the UK security minister James Brokenshire said he was almost certain that Russian state-sponsored hackers had attempted to steal the work being developed in laboratories in the UK, US, and Canada.
“The National Cyber Security Centre [NCSC] are 95%-plus satisfied, as are our US and Canadian counterparts,” he said. “We are very careful in terms of calling these things out, ensuring that we can have that confidence in attribution. We do believe that we have this here."
The allure of biological data
A visceral example of such an attack occurred in January 2020 at Cardiff University. A research group led by Professor Andrew Sewell had just announced the discovery of immune cells that they believe could contribute to a universal cancer cell therapy. It wasn't long before the group announced a licensing deal with a company called Enara Bio.
It was at that point that Sewell began to receive notifications that criminals were at work.
Facebook contacted him saying his account was being taken offline due to attacks, with his social media and even university accounts also struck. The attackers then targeted Sewell's wife and friends.
With his intellectual property valued at around $1 billion, the motivation behind the attack is clear, and the huge sums involved in the COVID vaccines illustrate just what is at stake.
Of course, these are not the only threats to the life sciences community, as recent research from the Ben-Gurion University of the Negev illustrates. The research describes what the authors refer to as “end-to-end cyber-biological attacks,” which involve biologists being tricked by cybercriminals into producing dangerous toxins in their laboratories.
Whereas previously acts of manipulation of medical research would have required physical access to the lab so that the processes could be tinkered with, the paper highlights how this is no longer necessary.
Malware attacks are now capable of replacing sub-strings of DNA on the computer of the scientist to unintentionally change a helpful drug into a toxic product.
It’s akin to the adversarial cyberattacks that threaten to derail AI-based systems by manipulating the data on which they function. The Israeli team suggests that the best way to protect medical labs from such an attack is via the screening of DNA orders. Indeed, earlier in 2020, California became the first state to introduce specific legislation regulating the purchasing of genes.
Lack of regulatory protection
Elsewhere, however, the purchasing of dangerous DNA is far easier, especially from companies that are not screening orders. As is so often the case, the researchers complain that the regulatory landscape has not kept pace with the changes in both the technology and the criminal marketplace, so are largely ill-equipped to cover the latest developments in both synthetic biology and cybercrime.
What’s more, they argue that the guidance produced by the U.S. Department of Health and Human Services (HHS) specifically for DNA providers doesn’t prevent screening protocols from being circumvented. This can be done via a procedure known as generic obfuscation, which makes it hard for screening software to detect any DNA that can produce toxins.
The researchers used this technique to obfuscate 16 out of 50 DNA samples so that they were not detected by the screening process. The process was especially vulnerable due to the highly automated and accessible nature of the systems that control it, with many lacking sufficient cybersecurity protection. This allows malware to interfere with any of the biological processes undertaken in an infected laboratory.
The potential for DNA injection to harmfully alter the biological process is but the latest of a growing wave of threats to the life sciences sector. The researchers believe that many more such threats exist, but by highlighting arguably the most complex of them, they hope to illustrate just how threatened the sector is from cybercriminals. The attack compromised weaknesses at the software, biosecurity screening, and biological protocols level of the bioengineering workflow.
The researchers hope that their work will prompt the healthcare sector to bolster the cybersecurity processes they have in place to protect the crucial work that society has come to depend so heavily upon, while also being the first step in improving the regulations that surround the DNA economy.