Journal:National and transnational security implications of asymmetric access to and use of biological data
|Full article title||National and transnational security implications of asymmetric access to and use of biological data|
|Journal||Frontiers in Bioengineering and Biotechnology|
|Author(s)||Berger, Kavita M.; Schneck, Phyllis A.|
|Author affiliation(s)||Gryphon Scientific, LLC; Promontory Financial Group, an IBM Company|
|Primary contact||Email: kberger at gryphonscientific dot com|
|Editors||Murch, Randall S.|
|Volume and issue||7|
|Distribution license||Creative Commons Attribution 4.0 International|
Biology and biotechnology have changed dramatically during the past 20 years, in part because of increases in computational capabilities and use of engineering principles to study biology. The advances in supercomputing, data storage capacity, and cloud platforms enable scientists throughout the world to generate, analyze, share, and store vast amounts of data, some of which are biological and much of which may be used to understand the human condition, agricultural systems, evolution, and environmental ecosystems. These advances and applications have enabled: (1) the emergence of data science, which involves the development of new algorithms to analyze and visualize data; and (2) the use of engineering approaches to manipulate or create new biological organisms that have specific functions, such as production of industrial chemical precursors and development of environmental bio-based sensors. Several biological sciences fields harness the capabilities of computer, data, and engineering sciences, including synthetic biology, precision medicine, precision agriculture, and systems biology. These advances and applications are not limited to one country. This capability has economic and physical consequences but is vulnerable to unauthorized intervention. Healthcare and genomic information of patients, information about pharmaceutical and biotechnology products in development, and results of scientific research have been stolen by state and non-state actors through infiltration of databases and computer systems containing this information. Countries have developed their own policies for governing data generation, access, and sharing with foreign entities, resulting in asymmetry of data sharing. This paper describes security implications of asymmetric access to and use of biological data.
Keywords: biotechnology, cybersecurity, information security, data vulnerability, biological data, biosecurity, data access, data protection
Advances in computer science, engineering, and data science have changed research, development, and application of biology and biotechnology in the United States and internationally. Examples of changes include: (a) increased reliance on internet connectivity for research and laboratory operations; (b) increased use of automation in life-science laboratories; (c) application of the “design-build-test” paradigm to create new biological organisms; (d) increased generation, analyses, and computational modeling of information about biological systems, cells, and molecules; (e) treatment of organisms and DNA as materials rather than phenomena to study; and (f) new funders such as venture capital, crowdfunding platforms, and foreign companies and governments. These changes have transformed the scientific, agricultural, and health communities' ability to understand and manipulate the world around them. In addition, the changes have enabled an influx of new practitioners and problem-solvers into biology, providing opportunities for education and research all over the world.
Biotechnology harnesses the capabilities of computer, data, and engineering sciences to establish and advance new fields such as synthetic biology, precision medicine, precision agriculture, and systems biology. Cloud-based platforms and open-source, easy-to-use software enable scientists from anywhere in the world to use advanced data analytics in their studies. The software and hardware emerging from these fields improve our collective understanding of molecular and systems-level genetics, new drug therapies for longer and better quality of life, and design of novel and/or unnatural organisms. Critical to these pursuits is the sharing of research results and underlying data, without which societal decision-making about human, animal, plant, and environmental health cannot be realized fully. However, during the past two decades, concerns about data sharing have been raised, resulting in the issuance of international, regional, and national-level policies governing access to different types of data, including biological data. In addition, the platforms through which data are stored, transported, and analyzed may be vulnerable to unauthorized acquisition of information by malicious actors, which could lead to significant economic and physical harms to the health, safety, and security of a population. Although not considered “dual use life sciences research of concern,” the potential for both benefit and risk to humanity meets the spirit of the dual use concept. Given the significant benefits afforded by data sharing and analysis, this paper highlights current data protection policies, potential risks of data exploitation by malicious actors, and potential strategies to mitigate those risks and promote rapid recovery in biotechnology fields that are breached.
The interconnectedness between the digital and biological worlds can be exploited by state actors, malicious nonstate actors, and hackers through a variety of means, resulting in harmful consequences from potential theft of information, promulgation of incorrect information, and/or disruption of activities. For example, theft of proprietary information from a pharmaceutical or biotechnology company may reveal trade secrets and allow competitors to develop superior products and/or bring existing products to market more quickly, stifling innovation in the global commercial market and allowing adversaries to create harmful, untested therapies. Another example is theft of hundreds of millions of electronic healthcare records, the uses of which are not clear. Although unauthorized access to protected data may be aided by technical vulnerabilities in networked computer systems, poor security practices, insider threats in academia, industry, and health facilities, and legal business dealings also can enable adversary access to such data. For examples, more than half of all data breaches at healthcare facilities are caused by healthcare personnel errors, a quarter of which resulted in unauthorized access to or disclosure of patient records through sharing of unencrypted information, sending information to the wrong patients, and accessing the data without authorization. In addition, the Federal Bureau of Investigation (FBI) has raised national security concerns about foreign access to genomic data of U.S. citizens through legitimate scientific collaboration, funding of scientific research, investment in genomic sequencing companies (e.g., China-based WuXi Healthcare Ventures investment in the U.S.-based 23andMe), and purchase of companies (e.g., Complete Genomics). As vulnerabilities are created through scientific advances, such as the use of machine learning algorithms to trick fingerprint authentication systems, new risks are identified. Some of these concerns have resulted in the passage of the 2018 Foreign Investment Risk Review Modernization Act, which has initiated reform of the U.S. Government process for evaluating foreign investment in U.S. entities and export control of emerging technologies. Yet, these policy activities largely are reactive, rather than proactive.
Current approaches to protecting data
Preventing accidental and deliberate risks typically involves the use of cyber and information security systems that include technological and behavioral solutions. Protection of laboratory control systems, computer networks, and databases often involves the use of technological solutions. However, some risks are addressed better through training of personnel to recognize and report phishing attempts, ensure sensitive information is encrypted, and prevent unauthorized individuals from gaining access to sensitive data, databases, and computer networks. To enhance security, policies for promulgating these practices for specific materials and information have been issued. For example, the U.S. Biological Select Agents and Toxins Regulations include guidance for network security to prevent failure of laboratories, equipment, and access controls to facilities and data. In addition, the U.S. has policies for protecting individual privacy, several of which were described in a 2014 report sponsored by the White House. However, error, carelessness, or negligence by personnel can counteract the benefits afforded by security measures and may lead to devastating consequences if biological data and materials are involved.
Although policies for protecting biological data from cyberattack are limited, policies that govern data access and sharing are prevalent. These top-down, data access policies intend to protect individual rights and/or prevent sharing or distribution of data, including biological data. Examples of recent policies include: (a) the 2018 update of the European Union General Data Protection Regulation, which strengthened the European Union's rules for protecting personal data of individuals, in part by giving its citizens “more control over their personal data”; (b) the 2018 Chinese Personal Information Security Specification, which is one system under the Chinese Cybersecurity law, involves the “collection, storage, use, sharing, transfer, and disclosure of personal information,” and enables companies operating in China to access data to “not hamper the development of fields like AI”; (c) the 2018 General Data Protection Law in Brazil, which provides a framework for the use of personal data in Brazil; and (d) the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA), which promotes the protection of privacy and security of patient health information in the United States. At the same time, the U.S. has issued policies governing data generation, access, and sharing to promote information-sharing and transparency of government-sponsored research. Internationally, the Nagoya Protocol of the Convention on Biodiversity promotes governance on access to and fair, equitable sharing of the benefits from the use of non-human biological data. However, questions exist about whether the Nagoya Protocol focuses more on biological samples that provide genetic information or the genetic information itself, which ultimately affects national-level efforts for codifying the international agreement. Despite these activities, protection of some data, such as personal health data, may not extend beyond a country's borders and may apply only to data collected by certain entities. Furthermore, data protection polices do not extend to information that already has been stolen. Taken together, these national, regional, and international level policies for data protection may not prevent the inappropriate or unauthorized acquisition of data to different actors, the consequences of which are unclear for biotechnology data.
Vulnerability of biotechnology data
The primary challenges in identifying, assessing, and mitigating security vulnerabilities of biotechnology data are understanding: (a) how the data may be exploited by adversaries and what consequences result from this exploitation; and (2) what potential negative effects may arise from digitization of biotechnology and advanced computation of biological data. The term “biotechnology” refers to the exploitation of biological processes for industrial and scientific purposes, and includes genetic manipulation of microbes, plants, animals, human cells, nucleic acids (the building blocks of genomes), and proteins (the functional units in cells). This definition is expanded further to include generation, incorporation, and use of digital forms of biological data. These biological data may be available online through databases, such as the U.S. National Center for Biotechnology Information's GenBank, or generated in a laboratory and stored, shared, and/or analyzed locally or remotely (via online and/or cloud-based software). By attempting to answer the questions posed above, specific risks associated with the legal and illegal acquisition of biological data may be identified and mitigated.
Although extraordinary advances in computing power are enabling unprecedented scientific discoveries, its application to biology and healthcare is increasing without effective protection from the risks of adversary acquisition or accidental misuse of information. Scientific data that is generated in basic and applied research laboratories in academia, non-profit research organizations, service providers, and some industry research facilities may be considered fundamental research destined for publication and public benefit. These data are not necessarily sensitive, but they do represent the results of significant investment by governments, industry, investors, and philanthropic organizations. Therefore, theft or large-scale acquisition of these data may have adverse economic consequences to the organization, field, or nation, especially if acquisition was directed by adversarial nation-states to gain competitive advantage in a given sector. As previously described, databases that store sensitive and/or non-sensitive biological data have been infiltrated by external actors and accessed by unauthorized individuals. Although measures to protect data have been implemented in several institutions, cyber and information security policies, practices, and compliance vary across biotechnology sectors, location, and organization type (e.g., academia, industry). Although implementation of cyber, information, and data security in biological facilities can help to minimize the potential for deliberate or accidental release of protected biological data, these measures are insufficient on their own.
Furthermore, the increasing size and volume of the datasets, and the complexity of analytic technologies has led many scientists to rely on cloud-based platforms to store, transfer, and analyze data. These platforms and technologies, including online analysis software and applications, often do not prevent unauthorized access to data or ensure software fidelity. Although mitigating specific vulnerabilities may be possible on an individual platform or technology level, implementing protections across the various data generation, analysis, transfer, and storage platforms currently in use in academia, industry, government laboratories, and healthcare facilities is challenging. Countering these risks requires the identification of consequences that are of particular concern to public safety and national security, evaluation of vulnerabilities that may enable the realization of these consequences, and identification of measures to address these vulnerabilities.
Possible prevention and mitigation approaches
Modern cyber and information security reflects the risks experienced as the internet has grown and diversified, and as the capabilities for and speed of storing, processing, and transporting information have increased exponentially. The internet was built without a priority on the protection of data whether “at rest” (i.e., stored data) or “in motion” (i.e., data in transit). Current strategies for addressing cyber risks focus on remediation through regulation, organizational support, and actions taken by data owners and consumers in the form of encryption technologies, access control measures, awareness-raising campaigns, risk assessment, blocking, limiting publication of sensitive information, and other similar practices. The challenge is understanding how these measures are to be applied to biotechnology data, how to balance the cost of implementation with the consequences if left unprotected, and what vulnerabilities cannot be mitigated using commercial products.
Often the entities that assess their cyber vulnerabilities and invest in cyber and information security measures are compelled to do so because of regulation and fiscal responsibility. However, unlike financial information, biotechnology data is regulated in some countries, but not others. For example, China issued a recent policy requiring a domestic collaborator and Ministry-level approval for research involving genomic data of Chinese citizens and/or biological samples obtained in China to prevent exploitation of these data and samples. This and similar policies raise questions about their intended and unintended effects to nations, to the scientific community, and to international security mainly because the policies that may benefit one country could harm another. These harms may reveal new types of risks associated with the acquisition and use of data to manipulate biological systems. These risks may be perpetrated by different actors; affect sector and country economies, commercial biotechnology, and pharmaceutical markets domestically and internationally; and alter global strategic power dynamics.
The risks associated with biotechnology data do not conform to traditional biosecurity concerns, which focus primarily on risks to human health or the food and agriculture economy. These risks involve multiple domains, sectors, and nations resulting in outcomes such as shifting of balance of power of nations at the international level, which could have downstream effects on areas that overlap with biosecurity interests (e.g., biosafety and biosecurity, biothreat reduction, and global health security). Strategies for bridging the biological, cyber, information, and data security include: (a) collaboration between the biological and cybersecurity communities; (b) end-to-end risk assessments; (c) data-specific risk and vulnerability assessments; and (d) application of the NIST Cybersecurity Framework for protecting biological data.
These suggested strategies (detailed below) describe various approaches toward protecting biological data from unauthorized acquisition and use, enhancing efforts to preserve data integrity and provenance, and enabling future benefit of biotechnological advances.
Formal collaboration between the biotechnology and biological, information, data, and cyber security communities would enhance efforts toward identification of risks and vulnerabilities associated with data management, provenance, and integrity, and risk mitigation strategies. Technologies are readily available to protect data, but their use must be harmonized worldwide, because protecting data in one database is ineffective if another database remains vulnerable to external threats. Furthermore, organizations may evade regulatory requirements and industry standards in protecting data because of perceived lack of cost savings for implementing cybersecurity measures or lack of awareness of the risks, which could lead to investor, intruder, or adversary access to sensitive information that may be stored in databases or transferred between computers. These vulnerabilities may be exacerbated by limitations of national laws to other sovereign states, and differences in interpretation of the types of data included in the scope of existing laws.
The takeaway: Given these potential vulnerabilities, the cybersecurity and biotechnology communities must engage to create best practices and processes to protect data and mitigate risk while reaping the benefits of computing technology applications to biotechnology.
End-to-end risk assessment
End-to-end assessments of the data storage, processing, and transport pipeline can identify outstanding vulnerabilities and technical gaps that may be addressed with currently available cyber, information, and data security solutions. This process would enable identification of gaps for which these measures are insufficient and of institutions that are responsible for implementing controls. Without this type of assessment, vulnerabilities may exist along the pipeline without its users' knowledge. A lack of rigorous analysis makes biological data vulnerable to acquisition or alteration by witting adversaries, potentially resulting in theft of intellectual property for commercial gain, foreign government acquisition of genomic data from large portions of a population for undefined purpose or compromise of software and data integrity. At least one country promotes acquisition of data though legitimate commercial practices (e.g., providing sequencing services to customers; partnering with academia, independent research institutions, and universities; and foreign investment), talent promotion programs, and theft of data. The FBI has expressed concerns about the theft of U.S. genomics and health information through cyberattacks and foreign investment in the U.S. biotechnology industry. The FBI argues that acquisition of this information can give adversaries an unfair advantage in the international pharmaceutical or biotechnology marketplace. Others have expressed concern about questionable use of genetic information that countries obtain from their own citizens or from other countries' citizens.
The takeway: These risks could be addressed by conducting an end-to-end risk assessment of the software and equipment involved in the data pipeline within individual organizations, between organizations, and across countries.
Data-specific risk mitigation
Defining the consequences of greatest concern to national security is an initial step toward assessing the risks and vulnerabilities of the information itself and data-specific risk mitigation strategies. Evaluating these risks enables the identification of content-specific approaches for detecting and countering exploitation of vulnerabilities by insider and external actors. Without these assessments, only generic cyber and information security measures will be implemented. However, these measures are insufficient to counter adversaries who are intent on acquiring data through a variety of technical, social engineering, or other means. Given this reality, rapid detection and resilience (i.e., rapid recovery after a breach) are critical for reaping the benefits and minimizing the vulnerabilities of advanced electronic computation and mass connectivity. In 2014, the White House explored technology needs for protecting the security and privacy of exposed data, including healthcare data. But, these studies did not define consequences of concern related to the unauthorized acquisition of vast amounts of biological data, effectively limiting the identification of data-specific or process-specific prevention measures.
The takeaway: Therefore, risk assessments of specific types of data are equally as important to conduct as analyses of vulnerabilities of laboratory control systems, data management platforms, and computer networks.
Application of the NIST Cybersecurity Framework
Application of the National Institute of Standards and Technology (NIST) Cybersecurity Framework to all systems of storage, processing and transport of biological data would help explore where, how, and by whom data is processed with the goal of protecting valuable scientific and health information. The NIST framework involves a collaboration of private sector and government cybersecurity experts that seek to apply the five principles of data protection (i.e., identify, protect, detect, respond, and recover) to systems, including those on which biological data are generated, processed and transported. The framework could augment existing or newly-implemented efforts of vulnerability detection and mitigation, thus decreasing unauthorized exposure of sensitive data. The NIST framework is a widely accepted paradigm for cyber risk management and best practices. In the U.S., this framework has been used in regulatory dialogues to demonstrate rigor toward cybersecurity in sectors for which such requirements are not well-documented in law.
The takeaway: Application of the NIST framework to biotechnology can enhance data protection and a focus on rapid detection of nefarious activity and resiliency after an attack.
KB and PS contributed equally to this manuscript. The concepts, conclusions, and recommendations were generated jointly by the authors and built on their respective expertise in the biological sciences and biosecurity, and computer science and cybersecurity.
The views and conclusions contained herein are those of the authors and should not be interpreted as representing the views and conclusions or official policies and endorsements, either expressed or implied, of Griffin Scientific, Promontory Financial Group, or the U.S. Government.
Conflict of interest
KB was employed by Gryphon Scientific. PS was employed by Promontory Financial Group, which is an IBM Company.
The authors declare that the paper was written in the absence of any commercial or financial relationships that would constitute a conflict of interest.
- Accenture (2015). "The Future of Applications in Life Sciences" (PDF). Accenture. https://www.accenture.com/_acnmedia/Accenture/Conversion-Assets/DotCom/Documents/Global/PDF/Dualpub_20/Accenture-15-1429U-FutureOfApps-LSCS-v5-web.pdf.
- Bajema, N.E.; DiEuliis, D.; Lutes, C.; Lim, Y.-B. (2018). "The digitization of biology: Understanding the new risks and implications for governance". Emergence & Convergence: 3. https://wmdcenter.ndu.edu/Media/News/Article/1569559/the-digitization-of-biology-understanding-the-new-risks-and-implications-for-go/.
- Olena, A. (1 June 2018). "Bringing the Internet of Things into the Lab". The Scientist. https://www.the-scientist.com/bio-business/bringing-the-internet-of-things-into-the-lab-64265.
- Chapman, T. (2003). "Lab automation and robotics: Automation on the move". Nature 421 (6923): 661, 663, 665–6. doi:10.1038/421661a. PMID 12571603.
- Agapakis, C.M. (2014). "Designing synthetic biology". ACS Synthetic Biology 3 (3): 121–8. doi:10.1021/sb4001068. PMID 24156739.
- Carbonell, P.; Jervis, A.J.; Robinson, C.J. et al. (2018). "An automated Design-Build-Test-Learn pipeline for enhanced microbial production of fine chemicals". Communications Biology 1: 66. doi:10.1038/s42003-018-0076-9. PMC PMC6123781. PMID 30271948. http://www.pubmedcentral.nih.gov/articlerender.fcgi?tool=pmcentrez&artid=PMC6123781.
- Thurow, K.; Göde, B.; Dingerdissen, U. Stoll, N. (2004). "Laboratory Information Management Systems for Life Science Applications". Organic Process Researh & Development 8 (6): 970–982. doi:10.1021/op040017s.
- Walpole, J.; Papin, J.A.; Peirce, S.M. (2013). "Multiscale computational models of complex biological systems". Annual Review of Biomedical Engineering 15: 137–54. doi:10.1146/annurev-bioeng-071811-150104. PMC PMC3970111. PMID 23642247. http://www.pubmedcentral.nih.gov/articlerender.fcgi?tool=pmcentrez&artid=PMC3970111.
- Service, R.F. (2 March 2017). "DNA could store all of the world's data in one room". Science. doi:10.1126/science.aal0852. https://www.sciencemag.org/news/2017/03/dna-could-store-all-worlds-data-one-room.
- Anderson, L.A.; Islam, M.A.; Prather, K.L.J. (2018). "Synthetic biology strategies for improving microbial synthesis of "green" biopolymers". Journal of Biological Chemistry 293 (14): 5053-5061. doi:10.1074/jbc.TM117.000368. PMC PMC5892568. PMID 29339554. http://www.pubmedcentral.nih.gov/articlerender.fcgi?tool=pmcentrez&artid=PMC5892568.
- Patel, P. (20 February 2018). "DNA Data Storage Gets Random Access". IEEE Spectrum. https://spectrum.ieee.org/the-human-os/biomedical/devices/dna-data-storage-gets-random-access.
- von Krogh, G.; Battistini, B.; Pachidou, F.; Baschera, P. (2012). "The changing face of corporate venturing in biotechnology". Nature Biotechnology 30 (10): 911–5. doi:10.1038/nbt.2383. PMID 23051802.
- Cha, A.E. (18 January 2015). "Crowdfunding propels scientific research". The Washington Post. https://www.washingtonpost.com/national/health-science/crowdfunding-propels-scientific-research/2015/01/18/c1937690-9758-11e4-8005-1924ede3e54a_story.html?utm_term=.734eb498edb5.
- Mervis, J. (9 March 2017). "Data check: U.S. government share of basic research funding falls below 50%". Science. doi:10.1126/science.aal0890. https://www.sciencemag.org/news/2017/03/data-check-us-government-share-basic-research-funding-falls-below-50.
- U.S. Government (March 2012). "United States Government Policy for Oversight of Life Sciences Dual Use Research of Concern" (PDF). http://www.phe.gov/s3/dualuse/Documents/us-policy-durc-032812.pdf.
- U.S. Government (September 2014). "United States Government Policy for Institutional Oversight of Life Sciences Dual Use Research of Concern" (PDF). http://www.phe.gov/s3/dualuse/Documents/durc-policy.pdf.
- National Research Council (2004). Biotechnology Research in an Age of Terrorism. National Academies Press. doi:10.17226/10827. ISBN 9780309166874. https://www.nap.edu/catalog/10827/biotechnology-research-in-an-age-of-terrorism.
- Lord, R.; Forbes Technology Council (15 December 2017). "The Real Threat Of Identity Theft Is In Your Medical Records, Not Credit Cards". Forbes. https://www.forbes.com/sites/forbestechcouncil/2017/12/15/the-real-threat-of-identity-theft-is-in-your-medical-records-not-credit-cards/#445711491b59.
- Souza, C. (10 December 2018). "Lessons for Pharma from the Merck Cyber Attack". PharmExec.com 38 (12). http://www.pharmexec.com/lessons-pharma-merck-cyber-attack. Retrieved 21 January 2019.
- Ward, A. (11 December 2018). "SIS's Use of Social Media Still Poses a Threat to Stability in the Middle East and Africa". The RAND Blog. https://www.rand.org/blog/2018/12/isiss-use-of-social-media-still-poses-a-threat-to-stability.html. Retrieved 21 January 2019.
- Friedman, A.A. (25 September 2013). "Cyber Theft of Competitive Data: Asking the Right Questions". Brookings. The Brookings Institution. https://www.brookings.edu/research/cyber-theft-of-competitive-data-asking-the-right-questions/.
- Bogle, A. (7 June 2018). "Healthcare data a growing target for hackers, cybersecurity experts warn". ABC.net.au. https://www.abc.net.au/news/science/2018-04-18/healthcare-target-for-hackers-experts-warn/9663304. Retrieved 23 November 2018.
- Cohen, J. (23 March 2018). "Massive cyberhack by Iran allegedly stole research from 320 universities, governments, and companies". Science. doi:10.1126/science.aat6849. https://www.sciencemag.org/news/2018/03/massive-cyber-hack-iran-allegedly-stole-research-320-universities-governments-and.
- Healthcare IT News Staff (2018). "The biggest healthcare data breaches of 2018 (so far)". Healthcare IT News. https://www.healthcareitnews.com/projects/biggest-healthcare-data-breaches-2018-so-far. Retrieved 23 November 2018.
- Huang, E.; Steger, I. (29 October 2018). "China Is Secretly Enrolling Military Scientists in Western Universities". Defense One. https://www.defenseone.com/threats/2018/10/china-secretly-enrolling-military-scientists-western-universities/152383/. Retrieved 23 November 2018.
- Keown, A. (18 September 2018). "Second Scientist Pleads Guilty to Stealing GlaxoSmithKline Trade Secrets". BioSpace. https://www.biospace.com/article/-jc1n-second-scientist-pleads-guilty-to-stealing-glaxosmithkline-trade-secrets/. Retrieved 23 November 2018.
- Lynch, D.J. (2017). "Biotechnology: the US-China Dispute over Genentic Data". Financial Times. https://www.ft.com/content/245a7c60-6880-11e7-9a66-93fb352ba1fe. Retrieved 23 November 2018.
- Rappeport, A. (10 October 2018). "In New Slap at China, U.S. Expands Power to Block Foreign Investments". The New York Times. https://www.nytimes.com/2018/10/10/business/us-china-investment-cfius.html. Retrieved 23 November 2018.
- Bloomberg News (19 April 2018). "Chinese funds pour US$1.4b into US biotechnology firms in the first three months of the year". South China Morning Post. https://www.scmp.com/business/global-economy/article/2142351/chinese-funds-pour-us14b-us-biotechnology-firms-first-three. Retrieved 23 November 2018.
- Respaut, R.; Zhu, J. (23 September 2018). "As China builds biotech sector, cash floods U.S. startups". Reuters. https://www.reuters.com/article/us-biotech-china-investment/as-china-builds-biotech-sector-cash-floods-u-s-startups-idUSKCN1M400G. Retrieved 23 November 2018.
- Bai, G.; Jiang, J.X.; Flasher, R. (2017). "Hospital risk of data breaches". JAMA Internal Medicine 1777 (6): 878-880. doi:10.1001/jamainternmed.2017.0336. PMC PMC5818824. PMID 28384777. http://www.pubmedcentral.nih.gov/articlerender.fcgi?tool=pmcentrez&artid=PMC5818824.
- Michigan State University (19 November 2018). "Healthcare providers -- not hackers -- leak more of your data". EurekAlert!. https://eurekalert.org/pub_releases/2018-11/msu-hp-111618.php. Retrieved 23 November 2019.
- BioSpace (21 October 2015). "WuXi Healthcare Invests In US Genomics Testmaker 23andMe". BioSpace. https://www.biospace.com/article/releases/-b-wuxi-healthcare-b-invests-in-us-genomics-testmaker-23andme-/.
- Mui, Y.Q. (30 December 2016). "China’s $9 billion effort to beat the U.S. in genetic testing". The Washington Post. https://www.washingtonpost.com/news/wonk/wp/2016/12/30/chinas-9-billion-effort-to-beat-the-u-s-in-genetic-testing/?noredirect=on&utm_term=.8586cdbf28b8.
- Baker, M. (2012). "China buys U.S. sequencing firm". Nature 489 (7417): 485–6. doi:10.1038/489485a. PMID 23018943.
- Genome Web Staff Reporter (17 September 2012). "Complete Genomics, BGI Agree to $117.6M Merger". Genome Web. https://www.genomeweb.com/clinical-sequencing/complete-genomics-bgi-agree-1176m-merger#.XEqIOFxKiUl. Retrieved 24 January 2019.
- Bontrager, P.; Roy, A.; Togelius, J. et al. (18 October 2018). "DeepMasterPrints: Generating MasterPrints for Dictionary Attacks via Latent Variable Evolution". arXiv.org. https://arxiv.org/abs/1705.07386.
- NYU Tandon School of Engineering (20 November 2018). "Machine Learning Masters the Fingerprint to Fool Biometric Systems". PR Newswire. https://www.prnewswire.com/news-releases/machine-learning-masters-the-fingerprint-to-fool-biometric-systems-300753375.html.
- U.S. Congress (2018). "S. 2098 (115th): Foreign Investment Risk Review Modernization Act of 2018". govtrack. https://www.govtrack.us/congress/bills/115/s2098.
- CDC, USDA (2017). "Information Systems Security Control Guidance". Federal Select Agent Program. https://www.selectagents.gov/isg-intro.html.
- Big Data and Privacy Working Group (February 2015). "Big Data: Seizing Opportunities, Preserving Values" (PDF). U.S. Government. https://obamawhitehouse.archives.gov/sites/default/files/docs/20150204_Big_Data_Seizing_Opportunities_Preserving_Values_Memo.pdf.
- European Commission (2018). "2018 reform of EU data protection rules". https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en.
- Sacks, S. (9 March 2018). "China’s Emerging Data Privacy System and GDPR". Center for Strategic & International Studies. https://www.csis.org/analysis/chinas-emerging-data-privacy-system-and-gdpr.
- Soares, E. (28 August 2018). "Brazil: Personal Data Protection Law Enacted". Global Legal Monitor. https://www.loc.gov/law/foreign-news/article/brazil-personal-data-protection-law-enacted/.
- U.S. Department of Health and Human Services (26 July 2013). "Summary of the HIPAA Security Rule". https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html.
- Van Noorden, R. (22 February 2013). "White House announces new US open-access policy". Nature NewsBlog. http://blogs.nature.com/news/2013/02/us-white-house-announces-open-access-policy.html. Retrieved 23 November 2018.
- United Nations Environment Programme. "About the Nagoya Protocol". Convention on Biological Diversity. https://www.cbd.int/abs/about/.
- dos S. Ribeiro, C.; Koopmans, M.P.; Haringhuizen, G.B. (26 October 2018). "Threats to timely sharing of pathogen sequence data". Science. doi:10.1126/science.aau5229. https://science.sciencemag.org/content/362/6413/404.
- NCBI (2013). "GenBank Overview". https://www.ncbi.nlm.nih.gov/genbank/.
- The Commission on the Theft of American Intellectual Property (May 2013). "The IP Commission Report" (PDF). National Bureau of Asian Research. http://www.ipcommission.org/report/IP_Commission_Report_052213.pdf.
- Press, G. (3 December 2018). "60 Cybersecurity Predictions for 2019". Forbes. https://www.forbes.com/sites/gilpress/2018/12/03/60-cybersecurity-predictions-for-2019/#759f17fc4352.
- Denning, P.J.; Lewis, T.G. (2017). "Exponential laws of computing growth". Communications of the ACM 60 (1): 54–65. doi:10.1145/2976758.
- Dauch, K.; Nestler, R. (2009). "Information Assurance Using a Defense In-Depth Strategy". 2009 Cybersecurity Applications & Technology Conference for Homeland Security: 267–72. doi:10.1109/CATCH.2009.25.
- inap_admin (20 June 2013). "Data in motion vs. data at rest". ThinkIT blog. INAP. https://www.inap.com/blog/data-in-motion-vs-data-at-rest/. Retrieved 24 January 2019.
- McDonald, K. (10 April 2017). "Private sector's national cybersecurity strategy contributions lacking". TechTarget SearchCompliance. https://searchcompliance.techtarget.com/opinion/Private-sectors-national-cybersecurity-strategy-contributions-lacking. Retrieved 24 January 2019.
- Tuzman, K.T. (11 October 2018). "Border security for China’s genomes". Biocentury. https://www.biocentury.com/bc-innovations/strategy/2018-10-11/balancing-protection-and-translation-china%E2%80%99s-genomic-data-troves.
- Capaccio, A. (21 June 2018). "U.S. Faces ‘Unprecedented Threat’ From China on Tech Takeover". Bloomberg. https://www.bloomberg.com/news/articles/2018-06-22/china-s-thousand-talents-called-key-in-seizing-u-s-expertise. Retrieved 23 November 2018.
- Jia, H. (17 January 2018). "China’s plan to recruit talented researchers". Naturejobs Career Guide: China. doi:10.1038/d41586-018-00538-z. https://www.nature.com/articles/d41586-018-00538-z.
- Riley, M.; Walcott, J. (5 June 2015). "China’s Hack of U.S. Data Tied to Health-Care Record Thefts". Bloomberg. https://www.bloomberg.com/news/articles/2015-06-05/u-s-government-data-breach-tied-to-theft-of-health-care-records.
- Dilanian, K. (9 October 2018). "China's hackers are stealing secrets from U.S. firms again, experts say". NBC News. https://www.nbcnews.com/news/china/china-s-hackers-are-stealing-secrets-u-s-firms-again-n917836. Retrieved 29 January 2019.
- Kaiser, J.; Malakoff, D. (27 August 2018). "NIH investigating whether U.S. scientists are sharing ideas with foreign governments". Science. doi:10.1126/science.aav2343. https://www.sciencemag.org/news/2018/08/nih-investigating-whether-us-scientists-are-sharing-ideas-foreign-governments.
- Wilber, D.Q.. "Chinese hackers charged with stealing data from Navy, JPL and U.S. companies". Los Angeles Times. https://www.latimes.com/politics/la-na-pol-chinese-espionage-indictment-20181220-story.html.
- You, E.H. (10 March 2017). "Safeguarding the Bioeconomy: U.S. Opportunities and Challenges" (PDF). https://www.ehidc.org/sites/default/files/resources/files/Ed_You_Testimony_USCC.pdf.
- Human Rights Watch (13 December 2017). "China: Minority Region Collects Data from Millions". Human Rights Watch News. https://www.hrw.org/news/2017/12/13/china-minority-region-collects-dna-millions#.
- Lynch, D.J. (2017). "Biotechnology: the US-China Dispute over Genentic Data". Financial Times. https://www.ft.com/content/245a7c60-6880-11e7-9a66-93fb352ba1fe. Retrieved 23 November 2018.
- Pauwels, E.; Vidyarthi, A. (19 November 2017). "Who Will Own The Secrets In Our Genes? A U.S. – China Race in Artificial Intelligence and Genomics". Science and Technology Innovation Program. Wilson Center. https://www.wilsoncenter.org/publication/who-will-own-the-secrets-our-genes-us-china-race-artificial-intelligence-and-genomics.
- Big Data and Privacy Working Group (May 2014). "Big Data: Seizing Opportunities, Preserving Values" (PDF). U.S. Government. https://obamawhitehouse.archives.gov/sites/default/files/docs/big_data_privacy_report_may_1_2014.pdf.
- President's Council of Advisors on Science and Technology (May 2014). "Big Data and Privacy: A Technological Perspective" (PDF). U.S. Government. https://obamawhitehouse.archives.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy_-_may_2014.pdf.
- National Institute of Standards and Technology (2018). "Cybersecurity Framework". https://www.nist.gov/cyberframework.
- Department of Homeland Security (22 August 2018). "Using the Cybersecurity Framework". https://www.dhs.gov/using-cybersecurity-framework.
- Lohrmann, D. (20 May 2018). "Why You Need the Cybersecurity Framework". Government Technology. https://www.govtech.com/blogs/lohrmann-on-cybersecurity/why-you-need-the-cybersecurity-framework.html.
- Roncevich, T. (14 June 2018). "Healthcare IT Security Best Practices: Adopting NIST's Cybersecurity Framework". Cyberguard Compliance Blog. https://info.cgcompliance.com/blog/healthcare-it-security-best-practices-adopting-nists-cybersecurity-framework. Retrieved 24 January 2019.
This presentation is faithful to the original, with only a few minor changes to presentation, grammar, and punctuation. In some cases important information was missing from the references, and that information was added. The two footnotes in the original material were turned into inline references for this version.