Defining “Cyberbiosecurity” and why we should stop using the term
The term cyberbiosecurity is rapidly making its way around the internet, academic, and government communities. If you want a silly analogy, you might say its spreading like an emerging infection through various host communities. Specifically, communities with no innate immunity to fight off the misinformation.
So why is the term “cyberbiosecurity” dangerous?
First, lets start with what it should be, then chat about how its perceived, and finally we can discuss why its causing challenges in the community.
What cyberbiosecurity should mean
According to Norton, the company that makes Norton Antivirus:
Cybersecurity is the state or process of protecting and recovering networks, devices, and programs from any type of cyberattack.
This means that cybersecurity is specifically protecting systems against CYBER attacks.
Biosecurity is defined as:
Procedures intended to protect humans or animals against disease or harmful biological agents.
This means that if we were to combine these two fields into a distinct discipline, then it would mean the following:
The protection of networks, devices, and programs against disease or harmful biological agents
Now, on the surface this seems like a very reasonable focus for study. If we want to understand more about the growing potential to build data and information into DNA, then we need to understand what can be done as a result.
In fact, researchers at the University of Washington actually used DNA to conduct a trivial “hack” on a DNA sequencer. While interesting, the problem is that the problem presented was so contrived that, in its current state, it would never demonstrate a real threat.
The second lesson learned from this science demonstration is that:
If your DNA sequencer can’t talk to your sensitive personnel database, then you have no risk other than a single piece of hardware failing.
And the act of making sure your networks are clean, segregated, and overall hardened is purely a cybersecurity issue, NOT a cyberbiosecurity issue.
What the term means to the general user?
Ok, well you might be saying cyberbiosecurity IS a thing, it’s just a narrow field. If it was that simple, I would agree with you. Unfortunately, this is not how the world works.
I have sat in many meetings with leaders and decision makers listening to people debate the definition of cyberbiosecurity.
- Some people define it as all of the cyber vulnerabilities in a biomedical laboratory. However, if this was the definition then that is cybersecurity.
- Some people define it as the misuse of genomic information. However, if this was the definition then that is a security and privacy issue.
- More dangerously, some people define cyberbiosecurity as anything that has to do with computers, technology, and biology. That is such a broad definition that in-fact it doesn’t mean anything at that point.
Because there is no consensus, and because very few people have ever actually worked in both cybersecurity and biosecurity, then the term is confusing and misleading.
I would be remiss, however, to not point out that the fact that we have the community talking about these issues in general should be applauded. The biology community is late to the game when it comes to understanding cyber issues, and its time we step up. However, just because we’re late to the game doesn’t mean we deserve our own special seating section away from the rest of the crowd.
The implications of cyberbiosecurity being misused
The term cyberbiosecurity has been created and propagated out of the academic community, largely for the purposes of generating publications that can be cited to justify new grant funding. Again, kudos to being forward thinking with enough initiative to generate a whole “field” rather than try to compete against others in well defined fields for funding.
The issue becomes when an academic field starts to cause problems for people trying to conduct real-world security work.
It is causing real operational challenges
I was recently having a conversation with a cybersecurity firm about the possibility of them working with a series of biology laboratories to provide cybersecurity services. In the conversation, one of my colleagues brought up cyberbiosecurity, and the firm said:
We can’t help you, because we don’t work in biology, so we can’t do cyberbiosecurity
At that point, the term started creating real operational challenges to people trying to build security into modern biotechnology. More so, that’s when the term started being counter productive to its own cause.
Its detracting from the real problem its trying to solve
As I mentioned before, just because the biology community is late to the cyber game, doesn’t mean we should carve out our own special seating section.
The simple act of carving our cyber challenges into a new field away from the profound body of knowledge and pool of experts working on this in other fields does harm to our goals. Our issues are no more special than any other fields. I’m just as concerned with a cyberattack compromising an aircraft manufacturing facility, or a nuclear or chemical facility, as I am a biological production facility.
We need to take cybersecurity very seriously in the biology and biotechnology world. We need to harden our laboratory systems, we need to make sure our networks are secure, segregated, and that we all understand good cyber hygiene.
The community needs to continue to charge forward on this topic. We need to welcome practitioners from other field with open arms, and we need to do everything we can to be a part of the broader security conversations.
We do not want to be out in the cold, trying to use cyberbiosecurity to solve our own set of problems while the rest of the world bands together to solve the same cyber problems. In this case, we do not want to be unique, we want to be stronger together.