From the Fall 2020 Issue

The Convergence and Mutual Opportunity of Bio and Cybersecurity

David Anderson
VP, PMO | SimplyPeer

We are now entering a realm where cybersecurity and biosecurity are forced to converge and evolve rapidly. Digitizing immense amounts of scientific and research data within the life sciences has made cyber threats as concerning, if not more, than the biological risks themselves. This overlap has created a need for cyber biosecurity. By working together, biosecurity and cyber experts have an opportunity to gain some insight and momentum that will develop policies and procedures which can benefit both disciplines.

The term biosecurity was first used in environmental and agriculture communities when referring to naturally occurring threats. At first, this field was focused on approaches to both categorize and mitigate potential invasive threats. However, it has since expanded into an array of disciplines including Biological Warfare, Human Health, Plant & Animal, Bio Supply-Chain, and Laboratory Biosecurity to name a few.

As the complexity of these threats escalate, our focus to both deter and develop a uniform discipline-specific approach becomes necessary to stay ahead of potential dangers.

“Advances in science and technology, the rise of globalization, the emergence of new diseases, and the changing nature of conflict have increased the risks posed by naturally occurring and man-made biological threats[1].”

The process of globalization and humanity’s continual endeavor for progress both influences our capabilities and opens the door for additional threats within the life sciences. Our efforts at global progress often create and expose new vulnerabilities. As we create new viruses or pathogens for research, we expose new threats to our fragile “bioeconomy”.

At first glance, this progression does not seem dissimilar to the rapid transformation that we have witnessed in cybersecurity over the last 20 years. The creation of the first internet worm in 1988, The Morris Worm, was not originally designed to be malicious. It was meant to highlight security flaws of the network; however, its replication system quickly rendered the Arpanet useless, thus resulting in the first Denial of Service incident.

This issue of dual-use within biosecurity and cybersecurity has been a debate since its inception. For every step forward in progress, we are often left dealing with a new threat. This similar progression requires similar responses, as they both exist to find, deter, and mitigate threats to our economy, safety, and daily existence.

One obvious difference between biosecurity and cybersecurity is that 100% of all cyber threats are man-made. America’s biosecurity policies and practices are often based on a well-categorized list of dangerous pathogens and toxins. Cybersecurity does not have the luxury of this often well-defined list of threats when nation-sponsored attackers and cybercriminals are constantly redefining the landscape.

Despite its obvious convergence in the “big data” era, we have yet to fully understand the implications and similarities to how each field recognizes and responds to threats. Perhaps we do need to take a step back and understand how each field approaches dealing with threats.

One of the early focuses in biosecurity dealt with invasive species in the plant and animal realm. This unique threat has been placed under the purview of two specific agencies to develop, implement, and enforce plant biosecurity strategies in the United States. These are the Customs and Border Protection (CBP) agency of the U.S. Department of Homeland Security (DHS) and the Animal and Plant Health Inspection Service’s Plant Protection and Quarantine (APHIS PPQ) of the U.S. Department of Agriculture (USDA).

As stated on the APHIS website, “If a pest or disease of concern is detected, APHIS implements emergency protocols and partners with affected states to quickly manage or eradicate the outbreak. This aggressive approach has enabled APHIS to successfully prevent and respond to potential pest and disease threats to U.S. agriculture.”

What if that threat is a cyber attack that obtains sensitive information, hindering our biosecurity response and rendering our food supply infected and useless? Can you think of an instance where we have such coordination within the cyber community beyond the DOD?

This approach allows a single control authority to oversee and manage risk while coordinating a viable response to a threat amongst agencies. Outside of the government, companies are often left to regulate and deal with cyber instances using their procedures, policies, and deterrents. Companies do not have this specific incident response and deterrent providing oversight and coordination for our protective efforts. Why is that?

The term “zero-day” refers to a newly discovered vulnerability within the software. In the information technology realm, we can often create a patch, update, and create new virus definitions within days or weeks for these vulnerabilities. However, if a similar instance occurs within the biological world, the response time often turns into weeks, months, and sometimes years. Both regulatory and scientific hurdles are difficult to overcome to reduce this response time. If we look at the recent pandemic vaccine response with COVID-19, the reduction in regulatory requirements allow a vaccine to be fast-tracked much like a patch or update.

The economic impact within either of these fields is staggering should a global incident occur. Ransomware costs exceeded $5 billion in 2017, 15 times the cost in 2015. The latest estimates place agriculture and plant production at 1% of our GDP while the data science market value for agriculture is estimated in excess of $20B.[2] That does not account for the potential loss in food supply should our biosecurity measures be thwarted.

Securing the information that is in the human mind is a monumental, colossal, epic task compared with securing digital data! 

We must find commonality in our procedures and processes to work together to mitigate as many of these risks as possible. It is estimated that 98% of all cyberattacks rely on some form of social engineering. Securing the information that is in the human mind is a monumental, colossal, epic task compared with securing digital data! Therefore, it is no surprise that it is also the largest gap in a corporation’s IT security.[3]

With that in mind, combined resources to promote training, policies, and procedures to mitigate risks would benefit both fields and reduce the overhead of battling alone.

The Cyberspace Solarium Commission was established in 2019 to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyber-attacks of significant consequences.” Their finished report was presented to the public on March 11, 2020. In this call to action, they recommend the creation of a National Director of Cyber to coordinate policies across government agencies.

Creating a single point of authority to provide oversight is a first step in coordinating these efforts. But will this National Director’s responsibilities and policies reach the public sector within biosecurity? What oversight and authority will this provide outside of government purview?

In a recent Forbes article, Amit Yoran of Tenable stated that “Thoughtful and well-coordinated cybersecurity policies or lack thereof impact just about every aspect of how this nation is governed and operates.”

We should take that one step further and develop a concerted effort to develop this emerging field and build awareness while preserving productive research environments so that they may protect us in return. As the digital age progresses, we will be forced to coordinate efforts within the public and private sector. Regulators must support professionals in both biosecurity and cybersecurity to ensure our interconnected world is protected from threats. Communities that can rapidly detect and respond to threats in near real-time will be our best defense moving forward. lock

[1] Koblentz, G. (2010). Biosecurity Reconsidered: Calibrating Biological Threats and Responses. International Security. Volume 34. Issue 4, 96-132. Retrieved 8 3, 2020, from https://app.dimensions.ai/details/publication/pub.1030161980

[2] Sykuta, M. E. (2016). Big data in agriculture: property rights, privacy and competition in ag data services. Internat. Food Agribusiness Manage. Rev. 19, 57–74.

[3] Heary, J. (n.d.). Top 5 Social Engineering Exploit Techniques. Retrieved 8 4, 2020, from PCWorld: http://www.pcworld.com/article/182180/top_5_social_engineering_exploit_techniques.html

Leave a Comment