Threatpost Op-Ed is a regular feature where experts contribute essays and commentary on what’s happening in security and privacy. Today’s contributor is Alexandrea Mellen.

alexandrea_mellenWhite and black hat hackers specialize in altering, accessing and sometimes destroying information. Genetic engineers take this idea a step further by manipulating the most important kind of information a human being has: DNA.

Research is in progress today to alter DNA in human cells, and this is just the beginning. Community labs, which allow more than just academic institutions and those who own the proper expensive equipment to experiment and contribute to genetic engineering research, are growing in popularity and are already accessible in some places. And though this is still a fledgling field, it is spreading like wildfire, and it will not take long before the research expands to include a dangerous and malicious side. As this work escalates, so too does the need for proper defense.

Information security professionals have the tools and understand the overarching ideas to properly defend information, and those ideas can extend to genetic information security. InfoSec revolves around the idea of safeguarding information of any kind from unauthorized access, even DNA. Genetic information security is on the cusp of becoming a new and intriguing branch of information security that would greatly benefit from being guided and supported by current information security professionals.

In genetic engineering, the information being infiltrated, manipulated, and hacked is DNA. The most relevant and striking research being cultivated in this field is for the modification of human characteristics. Scientists at UC Berkeley have developed a technique to alter the DNA in human cells, and scientists at the University of Virginia are employing gene therapy and magnetic fields to remotely control neurons in the brain. Research like these has a lot of potential for advances in transhumanism, but more important to information security professionals, it may also be used as an attack on an asset in the form of DNA.

Consider the inherent negative ramifications of being able to control the neurons in an individual’s brain from afar, or modify the DNA of a specific group of people on a whim. For example, CRISPR gene-editing technology has been used in an attempt to strike out HIV. Rather than achieve its goal, it may be establishing mutations that make HIV stronger and more resistant to certain treatments. HIV killed 1.1 million people last year alone, before any malicious modification. Consider how much worse HIV and other viruses could become in the wrong hands. Even when this research is done with the best intentions, it could still severely negatively impact the world.

On a smaller scale, there will be worried individuals who seek a way to prevent gene modification on themselves or their families. On a larger scale, governments and organizations will want to ensure that destructive genetic tampering is not done to their citizens or soldiers. It is critical to develop a line of defense against these kinds of attacks for both scenarios, and this can be done more effectively as a branch of information security. Preventing genetic engineering on the DNA level is just another form of defending information from unauthorized modification.

Do-It-Yourself Genetic Engineering

This type of research was previously limited in scope to those willing to pay the extraordinarily expensive startup costs associated with genetic equipment, such as universities. However, within the last five years, grassroots, non-profit organizations have been working to change that. Genetic engineering has been thrust into the public sphere with the advent of community biology labs run by these organizations. Expensive, previously unavailable tools are now becoming accessible to the populace at minimal cost. For example, bioCURIOUS, located in San Francisco, charges a $100/month membership fee. This fee includes lab space, class discounts, supplies and equipment, storage space, training, and office space. Just the equipment list alone is impressive, with many of the items costing between $1,000 – $4,000 apiece. These kinds of labs have led to less-regulated genetic engineering being undertaken and studied. Anyone with a thirst for DIY biology can attend group meetings, confer with other genetic engineers, biologists, and biosafety experts (amateur or otherwise), and access shared equipment. These groups follow their own code of ethics, some of which require members to research for exclusively peaceful purposes, while others do not.

If this sounds familiar, that’s because it is.

While this idea is just budding in the genetic engineering community, it is already deeply rooted in the information security community. Traditional computer hackers have been participating in groups and events comparable to these community labs for years in the form of hackerspaces, online hacker labs, and CTFs. It is the perfect time for hackers to share the nuances of creating a successful white hat community in a situation where something as important as our genetic makeup is at stake.

Collaboration between information security experts and genetic engineers extends beyond organizing a successful community. Modern InfoSec professionals and academics have been researching similar issues to genetic information security experts since the 1970s, just on different hardware.

For example, malicious gene modification can be considered analogous to malware. In this case, genes correspond to information that needs to be protected, and gene modification techniques correspond to malware. Continuing this further, gene modification techniques could begin to mirror worms and allow gene modification attacks to spread from person to person through avenues such as bodily fluids or physical contact. Genetic information security professionals need to develop a form of antimalware for DNA to prevent gene modification from affecting unsuspecting individuals.

Social engineering attacks such as phishing can easily be extended to genetic information security. Obtaining DNA through phishing attacks has been used for years by police officers. For instance, police officers in Seattle masqueraded as lawyers in order to procure a DNA sample from a suspected murderer in 2003, which led to his conviction. This situation is a phishing attack reframed in a genetic information security context: sensitive information (DNA) was obtained by individuals impersonating a trusted entity (police officers as lawyers). On a more sinister note, these same attacks could be used by criminals to steal DNA, which is illegal in some states in the U.S. and in Great Britain. Genetic information security, using information security ideas, can present a viable defense through obfuscation. Temporary or more permanent DNA obfuscation can be used to prevent DNA theft.

Temporary DNA obfuscation can hide DNA by spreading synthesized or collected DNA. DNA contamination is a huge hindrance to DNA recognition, so providing DNA that has been beclouded can be a potential deterrent for thieves. However, this is a double-edged sword, as DNA obfuscation can also be used for malicious motives. If DNA can be disguised to prevent gene identification, it can also be used for something comparable to a spoofing attack. In this instance, synthesized or collected DNA can be used to impersonate another individual or prevent proper identification. A spoofing attack of this form could be used to cheat DNA testing systems, among other things.

More permanent DNA obfuscation could completely change DNA until it is unrecognizable by others. While this is not currently possible, it is conceivable with gene-editing tools such as CRISPR. This is akin to encrypting human DNA so that even if someone were able to steal it, they would be unable to make use of it without being authorized by the owner. To put this into context, any DNA sample a person accidentally leaves behind, such as skin or hair, would be impossible to compare to that same individuals future DNA sample (whether provided unwittingly or otherwise) without information to decrypt it.

Applying the CIA Triad to Genetic Engineering

Significant principles in information security are also practical for genetic information security. The basis of information security, the CIA triad (Confidentiality, Integrity, and Availability), is an important and applicable model for the basis of genetic information security. Confidentiality, integrity, and availability should all be assured when dealing with genetic information security. Confidentiality is necessary to limit access to DNA for the safety of the owner. Integrity is important to guarantee the DNA is still accurate and complete despite protection or enhancements. Availability is crucial to establish that the DNA is accessible only by those who are given the right to access it by the owner.

These three pillars of information security are incredibly relevant when laying the foundation for genetic information security. At the very least, the framework information security professionals have built is applicable to genetic information security. Though the form of the information is different, information security constructs apply and have the potential to be exceptionally useful when understanding how to defend against genetic attacks.

The world has seen just a small piece of what genetic engineering is capable of. As this field grows through universities and independent organizations, there will be incredible advances in transhumanism and other areas. However, as with all technical and scientific advancements, genetic engineering can be used for destructive purposes. It is crucial to have a line of defense, especially given the enormous impact this kind of attack could have. Information security professionals can help effectively and securely create this line of defense. Genetic information security is about to become a unique and compelling extension of information security that would vastly benefit from the principles and advice of information security professionals.

Alexandrea Mellen is a computer engineer with a history of entrepreneurship. She spends most of her time working as CEO of Terrapin, a company that makes mobile apps for high school and college students. 

Categories: Hacks, IoT, Vulnerabilities