With the digitalization of our most permanent form of identity, deoxyribonucleic acid (DNA), the blueprint of our existence, we must carefully consider novel vulnerabilities. As professionals, we are ethically obligated to explore new threat vectors and take appropriate action to mitigate these risks. A key consideration in the security of any system is that all input be sanitized and validated before execution. As the University of Washington demonstrated, failure to do so can result in catastrophic consequences.  

Their research showcased how a buffer overflow allowed for malicious code, which was crafted and embedded into DNA for the system to sequence, to execute at the system level. While this is a new threat vector unique to gene editing and the machines that sequence those bits of DNA, the concept of utilizing invalid input to attack a system is a classic cybersecurity concern – unchecked input leading to system exploitation. This same idea could be applied to bar code scanners, RFID scanners, and voice recognition systems, where malformed input could trigger unintended execution. Ensuring rigorous input validation is necessary to prevent this unintended execution and to safeguard data.  

Consider the rise of AI/voice recognition in use at drive-through restaurants and the instances where customers have been able to order absurd items such as 999 straws or menu items that are invalid like steak at Wendy’s, Lasagna at McDonald’s. These interactions may seem harmless, but really, they point to a deeper issue: systems designed to process human input without proper validation can be manipulated, misused, or even weaponized. The consequences of failing to regulate these technologies pose threats far beyond fast food orders. If automated ordering systems can be exploited for amusement, imagine if similar vulnerabilities existed in genetic databases that might use automation for human interaction.  

My stance on the issue lies in the realm of privacy and data ownership. I believe the companies that offer the genetic testing and DNA collecting services should be required to heavily protect it while its under their custody, and after they’ve provided the services the user requested such as genealogy or paternity testing, that data should be returned to the person who owns it and the physical form destroyed. Imagine being one of the consumers who utilized Ancestry only to find out years later that they were acquired by a massive investment firm, Blackstone, and their biological data with it. Those individuals’ permanent DNA is now digitalized and turned into a corporate asset where it will be handled as such, potentially used for things far beyond the original intent. As CRISPR gene editing advances, so will the need for strict regulation and security measures. Without strong safeguards, the risk for genetic manipulation, corporate data exploitation, and unauthorized genetic profiling may escalate, threatening individuals’ autonomy over their DNA.  

Coldeway, D. (2017, August). Malicious code written into DNA infects the computer that reads it.  

Rizkallah, J. (2018, November). Hacking Humans: Protecting Our DNA From Cybercriminals.