Researchers Talk About Potential Synthetic DNA Supply Chain Attack

Researchers at Ben-Gurion University in Israel talked about a potential bioterrorist attack that could jeopardize the synthetic DNA supply chain. DNA synthesis providers may be misled into creating unsafe DNA sequences, skipping present security controls, and sending those sequences to healthcare clients.

At present, synthetic DNA is being made for use in research and is accessible in several ready-to-use kinds. Customers of DNA synthesis providers define the DNA sequences they need and the DNA synthesis firm creates the needed sequences for purchase and delivers them to their clients.

There are safety measures set up to avoid the synthesis of harmful DNA, however, the Ben-Gurion University researchers denote that the safety controls are not enough. Hackers can possibly take advantage of security flaws and input rogue genetic data into the synthesis process, without the knowledge of customers or DNA synthesis companies. For instance, rogue genetic material can be introduced that creates a dangerous protein or a toxin.

According to the researchers, there might be an attack scenario that involves a bioterrorist carrying out an attack – ordering, producing and delivering dangerous biological material to consumers, even when the attacker does not touch any laboratory component or biological material. The hypothetical attack method the researchers described can be an “end-to-end cyberbiological attack” executed remotely utilizing a computer to send a spear-phishing email that downloads a malicious web browser plug-in.

An attacker can create a spear-phishing email aimed at a person and utilize social engineering techniques so that the person downloads a malicious browser plug-in into their PC. As soon as there’s a real order for a particular DNA sequence, the attacker will engage in a man-in-the-middle attack and alter the requested DNA sequence delivered to the DNA synthesis supplier, without the individual making the order know about it.

The DNA synthesis firm performs checks to screen out possible harmful sequences. If the checks passed, the company would begin the DNA synthesis and ship the product to the customer. The customer would check the sequence, yet will use the DNA sequence having the fake DNA thinking it is the DNA sequence purchased.

The research paper entitled Cyberbiosecurity: Remote DNA Injection Threat in Synthetic Biology talked about the potential attack method. It was published in Nature Biotechnology recently.

The Department of Health and Human Services created an HHS Screening Framework Guidance for Synthetic Double-Stranded DNA Companies. The DNA synthesis providers need to check double-stranded DNA to make sure that any harmful sequences are not provided to customers; nevertheless, the researchers state that the database of all pathogenic sequences is not complete and the checks could be easily bypassed.

At this time, the software stack employed to create synthetic genes is not quite secured. A cybercriminal with access to the organization could inject fake genetic data into biological systems. The researchers additionally showed that by means of obfuscation, screening systems could not detect 16 of 50 DNA samples.

This sort of bioterrorist attack would be difficult to handle. Therefore, it is important to lower the probability of such an attack. But considering its potentially damaging effects, there must be strict security controls. The present safety mechanisms are in place to avoid the planned or unintentional harmful DNA synthesis, however, the researchers clarify that those security mechanisms were not used to show current innovations in synthetic biology and cyberwarfare.

Biosecurity researchers concur that an enhanced DNA screening strategy is needed to prevent bioterrorists and sloppy enthusiasts from producing dangerous substances in their laboratories.

About Christine Garcia 1288 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA