This article was taken from the June 2013 issue of Wired magazine.
There have always been hackers. If we look back 30 years to the earliest days of the personal computer, the first iteration were DIY types with cobbled-together devices, tinkering in garages and basements and meeting periodically to share their stories. Their intentions were mostly non-malicious: they hacked for fun and to learn what was possible. From these dabblers came the first generation of technology entrepreneurs, such as Steve Wozniak, Steve Jobs and Bill Gates.
But, as computing grew into a global and highly profitable industry, hacker numbers swelled and a darker side to the culture emerged.In the early days of criminal hacking it was about showing what was possible – breaking into systems for fun and the challenge. Later, a profit motive emerged, which attracted criminal elements that were serious, organised and global. As a result, the US now classifies cyberspace as a new domain of battle – as significant as air, land or sea – and has new agencies to secure it.
But there’s another domain of battle coming in the near future, one that is as real, yet as intangible, as cyberspace.
It is likely to become the most complex yet: it’s easy to hack and hard to defend because there’s no way to live without it. It is the domain of biology.
A living cell is analogous to a computer, albeit a very sophisticated one, made of carbon rather than silicon. At its heart is an operating system. It’s written in DNA nucleotides – chemical bits denoted in the less familiar As, Ts, Cs and Gs of DNA code – but, fundamentally, not so different from the zeroes and ones of electronic software.
Seen this way, cells are self-assembling, non-toxic, self-repairing, low-energy, infinitely scalable and adaptive computing devices. Moreover, even though life has evolved over billions of years and digital computers have been engineered for just a few decades, their fundamental architectures aren’t all that different. Cells are hardware and DNA is software. The result?
Biology, like other forms of computing, can be hacked.
And it is being hacked, every day.
Mapped on to computing’s timeline, biological hacking is still in its early stages: roughly, we’re in 1979. DNA hackers are still innocent, even playful. But this innocence is unlikely to last long: computing advances at the pace of Moore’s law, in which processing power doubles or its price halves every two years, whereas genomics is charging ahead at least five times faster.
The first human genome, which was completed in 2000, cost about £2 billion; now sequencing costs less than £2,500. And this is just the beginning – a human genome could, in theory, cost less than a pound by the end of the decade. No other technology has fallen in price so quickly.
Over the last 20 years, tens of billions of pounds have flooded into molecular biology and genetics industries. This has led to new technologies for reading DNA. Every day, new genomes are uploaded into health-science databases, and the pace is rapidly increasing. All this data has produced an army of bioinformatics scientists, whose job is to organise all this code and figure out what it does.
But reading DNA is only the beginning: science has evolved to the point where human beings can write DNA code as well.
As a result, thousands of scientists, known as genetic engineers, are programming living things directly. Genetic engineering used to be very hard and very expensive. Not any more. In fact, advanced genetic engineering can now be done with a just a few weeks of training, a laptop and a credit card.
This means that we’re on the cusp of a revolution in biotechnology: faster, cheaper and more powerful biotechnologies. On the positive side, this opens the door to scientific breakthroughs in biological understanding, diagnostics and new treatments. As we learn to code in biology, radical new possibilities arise, including abundant biofuels, better medicines and life extension. It also means that we could be approaching a new era of biological hacking, biological attack and even biological warfare. And the best place to look for how these scenarios – some of them terrifying – will play out is our experience of cyberspace.
There have been only a handful of non-government-sponsored biological attacks. The best known example was the mailing of anthrax spores to media outlets and two US senators in September 2001. Five people died.
Security agencies consider bioterrorism a growing risk for two reasons: the first is that advances – such as DNA synthesis and biological design software – allow the creation of biological agents in ways that were historically impossible. For instance, the Japanese terrorist organisation Aum Shinrikyo, the group behind the sarin gas attack on the Tokyo subway in 1995, had
a full-scale bioweapons programme. Despite investing more than $10 million (£6.6 million) in the programme, the group abandoned it due to its complexity.
Today such an attack is comparatively easy to carry out. Governments store any harmful agents (“select agents”) they may have stockpiled in secure sites, but the DNA code of many of them exists in public databases. Synthetic biology, which allows the building of synthetic organisms, sidesteps these safeguards and potentially allows the design of novel bioweapons.
The other reason is statistical: biological engineering could become as common as software engineering, bringing millions of new developers into the field. Lunatics must be expected.
A deranged biotechnologist could create the stuff of nightmares: even a small attack could produce economic fallout disproportionate to any actual illness or death caused. And there’s little need to even have a genuine agent in the first place; all that’s required is some white powder. A few pennies’ worth of baking soda and a stamp can result in disruptive evacuations and hundreds of wasted hours of investigator and police time, costing millions. This is a great return for the terrorist pound. Targeting publicly traded companies could provide terrorists the opportunity to profit from short selling. Officials lack tools to analyse biological agents quickly and, indeed, often know little about microbes.
Moreover, a 2008 US government report warned that civilian labs with dangerous pathogens could easily be compromised.
Cities, nations, the entire planet, can be held hostage by a microbe. In 2009, an outbreak of H1N1 influenza (swine flu) in Mexico City disrupted travel for weeks. A co-ordinated attack could cripple any city. The fact that no global system exists for monitoring biological agents in public areas in real time increases our vulnerability. In the US, the Real-time Outbreak and Disease Surveillance (RODS) has been used since 1999, but its overall effectiveness is unknown. Without good early-warning systems, the first evidence of a spreading infection comes from hospital admissions. The lag can be weeks. Google Flu Trends, which tracks user search terms related to flu, can predict outbreaks up to two weeks before World Health Organization reports. The Global Viral Forecasting Initiative, created by virologist Nathan Wolfe and based in San Francisco, scans global news sources and co-ordinates with laboratories for sample analysis. However, until a global system is in place, we are blind to harmful agents that may be spreading in the wild.
Infectious agents are invisible and odourless.
Some spread through the air. Depending on the latency and infectivity of the agent, exposure could occur long before any warning is issued. If testing is required, a hospital – where infectious agents concentrate – would be the worst place to go.
The best course is to stay indoors and avoid human contact until the immediate threat has passed, which could be weeks.
Terrorism and warfare are extremes of human behaviour: the life sciences will be hacked more, for ends that are simply mundane and antisocial. Because biology is another computational domain, biocrime is highly likely to mirror today’s cybercrime.
Fundamental to information security are concepts of confidentiality, integrity and availability of data. In order to avoid cybercrime, private information such as credit-card numbers and bank details must be kept confidential, data integrity must be maintained, and it must be available when needed. What is true in the digital world should also be true for biology. We will need to protect our confidential genetic data, ensure its integrity (both in real space and in central databases), and it must be available and functioning properly to ensure critical life functions.
And if we don’t? Read on to find out the consequences.
The most common form of computer attack is spam – sending unsolicited mails in bulk. Spam messages are easy and cheap to produce – 100,000 emails can be sent for around 60p, and trillions of messages are sent each year. DNA is even cheaper to generate, potentially making engineered biological spam very common in the future.
What would biospam look like? It could use natural forms of widely propagating genetic information – viruses, sperm, pollen or seeds – only engineered with an agenda in mind: in most cases, to make money. By definition, it would be (mostly) harmless.
Consider the common cold, or rhinovirus. It’s a natural form of spam, causing no disease – just a bothersome immune response. There are about 100 natural variants, and synthetic variants would be relatively easy to make. They spread easily. A synthetic batch could blanket the world in months.
Without natural immunity, infection rates would be high, increasing sales of vitamins, cold remedies and tissues, already estimated at £27 billion annually.
As biological-engineering capabilities grow more sophisticated, so will the spam. Synthetic bacterial systems can already support programmed pattern formation: agents could be developed that produce embarrassing rashes with patterns or even logos.
Biological spam can also be passive. SelectaDNA, a British company, sells theft prevention systems that, when activated, mist coded DNA messages that persist on to skin and clothing, helping to link suspects to a crime scene. Deployed in public spaces, similar systems would tag everything that passes through the area, allowing effective tracing, even over long time-periods.
There would be few natural defences against biological spam, creating a lucrative market for anti-spam strategies, from synthetic vaccines to DNA-degrading detergents to obfuscating DNA tags.
A more sophisticated variant of spam, phishing, seeks surreptitiously to co-opt user login and other confidential information via data-mining techniques that mimic legitimate organisations’ websites or their communications. Users typically receive official-looking emails that purport to come from their banks or other financial institutions with a link that clicks through to a criminal website. This encourages users to enter their valuable login details. According to Norman Sadeh at Carnegie Mellon University, nearly 500 million phishing emails are distributed every day.
The biological equivalent of this is mining someone’s DNA or other biometric data in a furtive manner in order to analyse or manipulate it. Because people are always “online” in the material world, biophishing could actually prove easier to accomplish than in the virtual world. We are all constantly shedding skin cells. We leave our saliva on every cup, fork or cigarette. The only way to ensure our DNA isn’t available for collection is to be physically sequestered, to interact only with trusted individuals, and to dispose securely of any item that we have touched. For most people, even prime ministers and presidents, this is an impossible order.
Hotel bathrooms and beds are ideal locations for DNA phishing. Fluids and ejaculates, a used tampon, hairs on pillows or sheets – all could provide ample material for analysis. Airline seats and rental cars offer other sources of DNA and cells linked to a particular driver or passenger. Manicurists, hair-stylists and waiters would have easy opportunity to collect samples. And beyond DNA, entire microflora of viruses and bacteria could be sampled.
These signatures can be far more specific than fingerprints, and vast amounts of data are available from every toilet or used tissue. Sewer lines from specific properties could be tapped and mined for biological data. Getting the data is easier than ever: last year, a citizen-science startup company called uBiome began offering microbiomes at hobbyist prices.
The challenge of security extends beyond the present day: even if comprehensive precautions were put into place to bio-shield a particular target, their historical DNA data could still be mined. DNA is very stable and can be isolated from old clothing, papers and other objects, even after hundreds of years. Even the DNA of unborn children is within reach – recovered from baby cells plucked from a mother’s blood sample by automated cell sorting.
Similarly, biometric data can be collected from individuals without their knowledge. Examples include fingerprints, toeprints, facial geometries, retinal scans and gait analysis (the unique biomechanics of body presentation and movement). Criminals could also phish for genetic code or live cells from biotech companies that would allow them, for example, to clone biologically produced drugs, resulting in biological knock-offs. This could be done by hacking corporate and government databases, bribing technologists to steal samples from bioreactors, or simply by stealing DNA code published in patent applications.
The vast amounts of personal data available might catalyse the emergence of “bio-paparazzi”, who would swoop on restaurants and hotels to source samples of celebrity DNA, or search through archived medical or laboratory samples.
Defending oneself will involve a combination of expensive strategies, such as physical sweeps, concentrated contaminating solutions, auditing and confirming the destruction of biological samples, electronic sensors that are able to detect or thwart remote biometric scanning. Yet, these measures only need to fail once for data to be collected. In many cases, the most efficient and economic practice may be proactive release of genetic data, either under licence or open source. Thousands of individuals in the Public Genome Project have already chosen the latter route, volunteering to share their complete genetic codes and other biometrics with the world.
According to the National Fraud Authority, identity theft costs the UK around £2.7 billion per year and affects two million people. As we store genetic data, so too will criminals target it just as they have targeted bank details. Many countries, including the UK, France, Germany, New Zealand, Sweden and the US, hold national DNA databases for criminal identification, but the amount of DNA data stored today is nothing compared to the amount that will be stored in the future. Some hospitals now perform genetic screenings on newborns: the Danish Newborn Screening Biobank at Statens Serum Institute, Copenhagen, keeps a sample from everyone born after 1981 to test for phenylketonuria, but samples have been used to identify the deceased as well as suspected criminals.
People are choosing to have their DNA tested for health reasons, to promote medical research and to investigate their genealogy. Although we would like to think that the most secure databases are safe, they are routinely compromised. And anonymisation isn’t foolproof: in early 2013, Science published a paper in which a researcher used openly available sources of DNA data to tie submitted samples to individuals by name.
DNA will be used for identification and authentication, meaning that access to DNA databases will enable identity-related crimes. Decisions about employment and parental suitability may be based upon genetic data. Those with undesirable traits may steal the genetic identity of others to circumvent restrictions. The ultimate form of identity theft is human cloning.
Few, if any, technical barriers remain – obstacles are largely ethical, and as biological technologies become more familiar, these are likely to erode.
The recent scandal over the mislabelling of meat provides a useful parallel with online “spoofing”, whereby some digital content masquerades as something else in order to gain illegitimate access or advantage. In a human context, biospoofing means duplicating another person’s biological or biometric information. Genetic impersonation means that a person’s presence could be mimicked.
Planting false evidence could trick police into believing a person was involved in a crime, or be used during a crime to confuse investigators.
Spoofing could be as simple as collecting DNA in one place and taking it to another. However, with synthetic DNA technologies, it could soon be possible to “print” passable copies of a genome using existing data, circumventing the need for a physical connection with the subject. In an article published in the Journal of Forensic Sciences International, researchers demonstrated that it is possible to isolate DNA lifted from a tissue or glass and mass-produce it. This could then be implanted into the blood cells of a third party and the manipulated blood spread across a crime scene. The result: a person framed. The study further showed that a forensic laboratory actually tied the spoofed material to the innocent party.
In-vitro sperm could allow spoofing of a sexual encounter that would be difficult to disprove, because only very sophisticated analysis can detect such a manipulation. It may even be able to support fertilisation, raising the prospect of unauthorised paternity or false allegations of sexual assault.
Denial of service (DoS) is a targeted attack that seeks to cripple a specific server or network by sending requests – such as page views – in overwhelming volume. Used in corporate warfare, covert cyberwarfare, extortion and by activists, DoS attacks are, effectively, a form of weaponised spam. Biological equivalents might involve the production of relatively harmless natural or synthetic agents (viruses, bacteria, allergens etc) directed towards either the public or even a particular person, organisation, country or company and delivered through multiple channels.
Individuals could be singled out by infecting them with agents that produce chronic fatigue, reducing their ability to function. Organisations could be precision-targeted through contamination of delivered mail, environmental systems or cafeterias. Wider areas could be affected by releasing agents into municipal water supplies, into the air using crop-dusting equipment or via foodstuffs delivered to the region. The agents need not cause serious disease or harm they may not even have to exist. Just the credible threat of attack could be sufficient to disrupt business operations, travel plans, or manipulate stock prices.
Biotechnology could also be used to challenge what is perceived as bad biotechnology. For example, bio-activists could engineer pathogens specific to a particular GMO crop or company – reducing yields, creating blemishes, prompting expensive product recalls, or generating negative media attention and reducing consumer confidence. Conceivably, biotech companies might even develop such denial of service agents themselves, to deactivate unauthorised use of their products, or potentially attack those of their competitors. Warfare, but of the economic kind.
A wide variety of biological and genetic materials will be pirated as digital media have been. Drugs are likely to be an area ripe for biological piracy. As the field of synthetic biology progresses and therapies are developed to treat infectious diseases and cancers, people will clamour for these treatments. Organised crime will be there to provide pirated versions. Although there are few consumer-facing biotech brands now, when they do appear their products are highly likely to be pirated. If aliquots – portions of larger samples – of such engineered cells that form the basis of valuable product can be acquired, production can be seeded at other locations in much the same way brewers pass on yeast strains.
This is why most biotech-production plants have access restrictions on a par with classified-weapons depots.
Examples from other industries that have been targeted – software, music, designer goods – show that piracy is extremely difficult to combat. Nevertheless, with the advent of synthetic biology, we can expect to see the producers of “biological IP” push hard to protect their investments. The US government has even approved genetic-use-restriction technology ( GURT) for these purposes.
Companies such as agribusiness giant Monsanto have developed “terminator seeds” – plants which have been genetically engineered so that all harvests are sterile, unable to produce further crops. By genetically modifying the seeds, Monsanto – and others – have thus created the biological equivalent of digital-rights management.
Medical samples have also been exploited. Famously, the cells removed from Henrietta Lacks when she was undergoing treatment for cancer are the root source of the HeLa cell line, now used globally in research. Many public policy, legal and ethical questions will arise regarding the appropriate use and ownership of genetic material. For the most part, we are wholly unprepared for these discussions.
The software virus Stuxnet was designed for a single purpose: to undermine the control systems at the Natanz nuclear-enrichment plant, thereby slowing Iran’s nuclear programme. The infection was designed to disrupt equipment operations while displaying to plant operators that all was well. Just as hackers, governments and spies have crafted specific cyber tools to focus on a particular target, so biological equivalents can be developed.
This could be an agent that compromises people, other living things or perhaps an organisation. For example, biological agents could cause workers at a specific plant or country to get ill, die or otherwise behave erratically at a frequency low enough to be mistaken as a naturally occurring phenomenon. Or consider a neurological agent that causes generalised depression or malaise in a population, perhaps a nation’s military, leading to debilitating or demoralising conditions that might not be noticed until hospitalisations or suicide-rates skyrocket.
It is possible, as molecular-control mechanisms improve in synthetic biology, that specific agents could be engineered to affect just a single person, such as the leader of a country or company. There are numerous economic and political motivations for this. Cancer, which touches many lives, many be a particularly powerful agent. Imagine if Steve Jobs’s cancer was actually an engineered attack by an industrial competitor. Some Venezuelans believe Hugo Chávez was deliberately infected with cancer. But agents could be made more pernicious, affecting low-level neurological functions, for instance. Imagine if David Cameron could no longer remember the details of briefings? Such precision is beyond what’s possible today, but it may loom into view as personalised medicine and targeted molecular therapies advance toward clinical use.
As biology emerges as another generalised computing medium, future biological creations will, just like electronic computing, extend their reach into every aspect of our lives and into every industry, transforming them both to their very core.
If our experience with cyberspace is any indication, these developments will unfold unpredictably, yet there are important lessons to be learned. The internet was built for redundancy, not security. As a result, we have the omnipresent spectre of cybercrime looming over us. Before we enter the age of programmable biology, we must contemplate what we might do differently to avoid the mistakes we made in our development of silicon-based computing. DNA is the common thread that runs through all living things. Without it, there is no life. As such, we have no alternative to seriously considering how we will protect the world’s original operating system.
Marc Goodman founded the Future Crimes Institute and is chair for policy, law and ethics at the Singularity University. He’s a senior advisor to Interpol and has worked with the UN and the US government on global security. Andrew Hessel is a distinguished researcher at Autodesk Inc in the Bio/Nano Programmable Matter group
This article was taken from the June 2013 issue of Wired magazine. There have always been hackers. If we look back 30 years to the earliest days of the personal computer, the first iteration were DIY types with cobbled-together devices, tinkering in garages and basements and meeting periodically to share their stories. Their intentions were […]
Grand thinking created the Internet, small thinking won’t save it. Though we’re racing forward at break neck speed to connect all the objects in our physical world — the tools we need to run our society — to the Internet, we still fundamentally do not have the trustworthy computing required to make it so. Of the 6,494 words President Obama uttered […]
Crime is down in advanced economies around the world—at least that is what some statistics suggest. While it is true that violent crime has dropped precipitously in the developed world over the past two decades, in fact, there is a tsunami of criminal activity on the horizon. It is in the form of cybercrime, and […]
The U.S. government is surreptitiously collecting the DNA of world leaders, and is reportedly protecting that of Barack Obama. Decoded, these genetic blueprints could provide compromising information. In the not-too-distant future, they may provide something more as well—the basis for the creation of personalized bioweapons that could take down a president and leave no trace… […]
This article was taken from The WIRED World in 2016 — our fourth annual trends report, a standalone magazine in which our network of expert writers and influencers predicts what’s coming next. When most people think of cybercrime, they think of hackers raiding bank accounts, stealing identities and pilfering credit-card numbers. Ah, the good old […]