Unwitting scientists may be tricked into creating synthetic viruses and other toxins in their labs, according to Israeli researchers who claim to have discovered a new “end-to-end cyber-biological attack.”
Published in Nature Biotechnology, the research by a team at Ben-Gurion University (BGU) of the Negev describes how criminals no longer need to have physical contact with a dangerous substance to produce and deliver it.
Part of the problem boils down to a weakness in the US Department of Health and Human Services (HHS) guidance for DNA providers which allows screening protocols to be circumvented using a generic obfuscation procedure.
The researchers claimed that, when they used this procedure, 16 out of 50 obfuscated DNA samples were not detected.
The second major factor is insufficient cybersecurity controls on lab computers. In the scenario painted in the report, a bioengineer has her PC infected with a malicious browser-plug-in, which enables a man-in-the-browser attack.
In so doing, attackers are able to change her order of sequences placed with a DNA synthesis company, to malicious sequences.
DNA obfuscation techniques camouflage the malicious nature of the order, which is therefore processed without raising any alarms and returned to the lab.
“This attack scenario underscores the need to harden the synthetic DNA supply chain with protections against cyber-biological threats,” said Rami Puzis, head of the BGU Complex Networks Analysis Lab.
“To address these threats, we propose an improved screening algorithm that takes into account in vivo gene editing. We hope this paper sets the stage for robust, adversary resilient DNA sequence screening and cybersecurity-hardened synthetic gene production services when biosecurity screening will be enforced by local regulations worldwide.”
On the cybersecurity side, the report recommends electronic signatures be placed on orders to improve transparency, and intrusion detection systems be used in labs, featuring heuristics and AI behavioral analysis to identify malicious code on PCs.