Since I was a boy I have been intrigued by Bioengineering so much that it has become the specialization of my course of study in Electronic Engineering. Later, my destiny was to deal with IT and security and, even if I have never abandoned the love for the combination of engineering and everything that revolves around life, I never thought that today we would have faced each other. to a new phenomenon, the one known as “Cyber Biohacking”.
Who works in the world of cybersecurity he will certainly have heard of exploits, that is a portion of executable code developed to create, in a software, an unexpected behavior and aimed, for example, at gaining administrator privileges on a computer.
Only a few years ago, however, was the hypothesis that these exploit they could have been installed inside a genetic molecule. I understand that it may seem absurd but I assure you that it is not.
What, then, is the biohacking, truly?
il biohacking is that sector of science that combines biology, the study of the human body and hacking: “The set of methods, techniques and operations - reads on Wikipedia - aimed at getting to know, access and modify a hardware or software computer system ".
It is a broad concept and incorporates many activities: from DNA modifications to scientific experiments to improve both physical and brain human performance.
In summary, we can say that the biohacking it is that field of science that combines biology and technology.
Faced with a similar phenomenon, many considerations could be made and, probably, much more than an article would be needed. Therefore, I would like to focus on three elements that I believe may be key:
- Ethics of technology
- Supply Chain Security
- Risk mitigation
Let's start immediately with theEthics of Technology. In the digital age, the word security has become central. Beyond the acquired meaning in the industrial and service sectors and in a data-driven system, the concept has expanded to the point of reaching new dimensions. The relationship between machines and man is ever greater and is reaching ever more advanced and articulated levels.
On the one hand, the system benefits, at times, unthinkable and, perhaps, inaccessible to man (just think of the computing power) and on the other, almost as a counterpart, it gives rise to abilities and activities that are risky for human beings and destabilizing for systems. Digital is disruptive by definition; which means that it is necessary to question, study and design in order to develop safety systems that take into account the new scenarios to be explored.
From all this it follows that the cybersecurity it is the infrastructure to which the protection, in many respects the definition itself, of digital ethics is entrusted.
In this regard, I marry the words of Marco Ramilli, an expert in cybersecurity and Founder and CEO of Yoroi, according to which “It is natural to consider technology directly associated with ethics if we talk about technology as the science of studying 'living well'. On the other hand, it is not possible to expect ethical behavior from technology precisely because it does not have the ability to create itself nor does it have the perception of the limits imposed by culture and 'good living'. Even the best deep-learning system (artificial intelligence), before it can be started, needs an initial training phase that radically influences its decisions. Precisely for this reason it is not possible to consider technology as ethically neutral as it depends greatly on its coach. Technology radically increases the speed of information as well as its scale factor and is a-territorial, therefore devoid of culture. These points represent a change in the outline that disfigures its originality, influencing ethical problems on a large scale ".
An example above all: the ability of a small number of organizations to possess specific information about each of us and exploit it for socio-economic purposes.
Therefore, it is essential to have a clear idea of what and who should oversee and how this privilege should be protected.
All this translates into giving cybersecurity a new meaning, in some ways, original and even a little disruptive: cybersecurity is the backbone of digital ethics and no longer just and only a defense weapon or, in a very sadder, than attack.
If we think that today technologies are at the basis of the digitization of complex systems, critical infrastructures and essential services and that they can suffer cyber attacks modifying their behavior, it is evident how cybersecurity is linked to ethical issues in an extremely profound way. Consequently, we cannot fail to consider it a central element.
I think one of the best-known ethical problems inherent in cybersecurity is that of privacy. Obtaining personal information can allow an attacker to digitally replace the victim, initiating false transactions and manipulating conversations. It is a phenomenon we witness every day thanks to identity theft. Furthermore, this ethical problem could enable the attacker to extort and blackmail the victim.
Beyond the words and statements of a public nature, I do not believe that there is still a deep awareness of this ethical centrality and it is precisely on this that we must seriously work on both the public and private levels.
Today's 'good living' is no longer just akin to the physical relationship but strongly depends on the digital one. Cybersecurity is a fundamental element to guarantee this. For this it is necessary to include this discipline in a new ethical framework that goes beyond space and culture and that is, at the same time, respectful of the human being starting, as mentioned, from the awareness that, on the contrary, technology cannot be ethically neutral. .
Supply Chain Security. Scientists around the world are known to continue to work on developing vaccines to combat the COVID-19 pandemic given the countless variants that have developed in the last period. In addition to trying to steal research data, cybercriminals could develop targeted attacks to trigger biological warfare and DNA could become the new hacker weapon of the future.
A recent publication in the journal Nature takes up a study conducted by a group of researchers from the Ben-Gurion University of the Negev, in Israel, casting shadows on the future of Cyber Biohacking. By forcing the weak DNA synthesis procedures, surprising results can in fact be achieved, with alterations of the genetic code that would bypass automatic controls, generating toxins and new viruses.
Universities and research centers commission specialized companies to create, for scientific purposes, specific DNA sequences necessary for experimentation and studies. The production of RNA or DNA sequences worldwide is largely entrusted to DNA synthesizers, capable of synthesizing billions of nucleotides (DNA) for a turnover of several hundred million dollars. In this field too, the digital world is establishing itself as a fundamental element of the process.
The exponential growth of digital orders to the companies that operate and manage these "synthesizers" has raised many doubts about the possibility of cyber attacks in such a new and delicate market niche. Hackers could in fact enter the nucleotide (DNA) "ordering" and "production" chain by attacking the weak points of the IT systems of operators in the sector. The attacks could concern changes to the "orders", the "mixture" or the production process thanks to the inclusion of incorrect and malicious sequences, able to evade the automatic security checks of the companies operating in the field of DNA synthesis.
At this point, let's try to imagine a realistic scenario in which there are three protagonists: Alice, who works at the biology faculty of a well-known university, Silvio, who is the quality control manager of a company that synthesizes the short sequences of DNA, and, finally, Eva, a criminal hacker ready to test her skills in an extremely modern and hyper-connected environment.
Alice commissions DNA sequences from Silvio, through a consolidated procedure that has no particular levels of security, also considering the fact that there is a relationship of trust between Alice and Silvio who have been working together for some time. Furthermore, in this context, the software used for genetic editing and the files that digitally represent the sequence do not, in turn, have security standards such as to defend themselves against Eva's attacks. The general consideration is that as this is an extremely new field, no one thinks it will be of interest to cybercriminals. Thought, alas, very widespread in all sectors.
In order to streamline procedures, speed up operations and increase productivity, Alice prefers to use the standard procedure, probably, as mentioned, unaware of the IT risks. Eva, however, manages to attack the university computer system, thanks to malware capable of modifying the ordered genetic sequence. Using a cyber "code obfuscation" technique, the malware is able to mask the tampered part of DNA, in such a way that Silvio's company is unable to identify it as "different" from the rest of the sequence.
Malware may even be able to render any human control useless. These controls, currently applied in the synthesis structures only when necessary, are hardly able to highlight the problem, especially in the unfortunate case in which the attacker was so good as to create a malware capable of hiding its traces.
Therefore, the automatic and manual checks give a positive result and the orders are processed and sent to the university faculty where Alice works. At this point, everything is normal and Alice or her colleagues could "unpack" the genetic code received, with the specific procedure called CRISPR / Cas91. By doing so, Alice "frees", in a totally unconscious way, a malignant sequence, potentially a carrier of toxins or viruses or of a new Covid-19.
This type of attack is far from being far from reality, as confirmed by the study developed by the research team of the Israeli University, led by Rami Puzis. In the test, in fact, part of the code was "obfuscated" by hiding a harmful peptide and the new sequence was supplied to one of the main companies in the sector.
Do you want to know what the result was? The automatic internal procedures did not detect any problems, sending the order to production. Of course theInternational Gene Synthesis Consortium, IGSC, the industry's leading body for the creation of common safety standards, was immediately notified of the incident and the order was canceled for biosecurity reasons.
It is clear that all this highlights even more strongly how not only are cybersecurity systems fundamental in all sectors and, therefore, even more so in the scientific one, but also how important process security is, especially if within a supply chain.
“An attack scenario of this type - writes Pizis - underlines the need to strengthen the synthetic DNA supply chain through protection systems from cyber-biological attacks. We propose a strengthened screening algorithm that takes into account the modification of the genome in vivo ”.
It is desirable that adequate security frameworks will have to guarantee both functional and operational security capable of covering technologies and processes in a preventive, proactive and predictive manner.
Risk Mitigation. On many occasions we have had the opportunity to talk about cyber risk and we have discussed it defining it as the real threat that individuals, companies, states and international organizations are called to face in the new era dominated by industry 4.0.
The need to create new business models to increase the productivity of industries has led to a tendency, often reckless, towards automation, computerization, virtualization, the cloud as well as towards all the functionalities present on mobile. It is the set of these characteristics that defines the 4.0 industry to which the various social components are called to relate and on which the risk of cyber attacks acts.
In this scenario, thinking that cybersecurity only means Information Technology makes you smile and knowing that the scope is much broader, it helps to understand the risks and, hopefully, to prevent them.
As with many diseases, the cyber risk is amplified and indeed, we can say that it "feeds" on other digital factors that are closely linked to each other. We could, with a little imagination but perhaps not too much, trace the origin of everything to Moore's law which provides the fuel that has allowed the entire digital industry to develop at an important speed. There is no doubt that the exponential growth of the power of microprocessors and, consequently, of the calculation capacity offered by Moore's law, combined with the level of miniaturization that has been achieved in the production processes of electronic components, unthinkable until a few years ago, has allowed the explosion of the era of telecommunications networks and information technology more generally.
All of this allowed the beginning of the Internet age as a distribution platform for all digital innovations.
Global human population growth is approximately 75 million annually, or 1,1% annually with the world population rising from 2017 to 2020, from 7,7 to 7,8 billion people. In the same period, the "population" of IOT devices connected to the network, on the other hand, went from 8,4 billion to 20,4 billion with an increase of 12 billion objects, or + 242%, which, I believe, has not need more words to describe the measure of the speed at which the digital world travels.
Extreme speed is, therefore, the main feature that characterizes digital ecosystems and that significantly affects cyber risk. Everything is consumed in great haste and as a result, the life cycle of technologies is drastically reduced. If we think, for example, of a capital intensive industry such as that of mobile radio technologies that must absorb high costs for the concession of frequencies and for the drafting of networks, we can observe that in less than 40 years 5 different technologies have followed one another: TACS starts in the early 80s, 2G in 1991, 3G after 10 years, 4G after 9 years and 5G after 8 years and the download speed goes from 384 kbps of the first 3G, to 100 Mbps of 4G, to 10 Gbps of 5G. In this unstoppable growth process, there are two dates that we cannot forget: the extended and low-cost availability of bandwidth capacity on telecommunications networks that can be traced back to the year 2000 and the birth of OTTs, which can be dated between 2007 and 2008. After 2008 we have witnessed the rapid growth in the number of constantly connected devices, an economy that increasingly depends on artificial intelligence algorithms, the growth of the power of social media and the risk of fake news, the growth of the exploitation of personal content due to the constant movement ahead of the trade-off between privacy and service.
In all this turmoil, unfortunately, the sensitivity on information security has not grown with the same speed and today we not only pay the consequences but we risk also putting innovative areas at risk, such as biology and medicine, which, like no other other, they concern human life.
Therefore, it is increasingly urgent and necessary to have a solid cybersecurity roadmap that is part of a global "call to action", aimed at institutions, companies and industry with the common aim of guaranteeing a commitment to accept the challenge of cyber risk and, hopefully , win it.
"A community accepts the challenges it faces precisely because they are not simple, because they give us the opportunity to make the most of our skills and our commitment. "
1 The crispr-cas9 method, which allows to modify the nucleic acids which make up the genome of all living organisms, earned Emmanuelle Charpentier and Jennifer Doudna the Nobel Prize in Chemistry for their ability to "rewrite the code of life" .