CHICAGO – Last month, startup GeneInfoSec launched its bioinformatics security consulting division, offering services including security audits, reviews, and assessments, as well as staff education on safe online practices. So far, the company has landed one undisclosed client for this offering, according to Cofounder and CTO Garrett Schumacher.
For Boulder, Colorado-based GeneInfoSec, this is but the first step on a journey to create a new paradigm in genetic security. The company's nascent R&D arm is developing what its founders hope will be their signature offering, molecular encryption technology.
GeneInfoSec wants to be able to assign a barcode to each molecule of a sample, not just one for the sample itself. "Obviously that would be very expensive," Schumacher said, but added that the company is developing undisclosed methods for reducing the cost so it becomes a viable option.
"On the physical molecule side, we are basically generating barcodes like unique molecular identifiers, tagging them to DNA samples before they're sequenced, just like standard processes, except that every single DNA fragment gets a unique barcode," Schumacher said.
"We're not changing up the laboratory environment. We're not changing up the sequencing itself," Schumacher continued. "We're just saying that instead of barcoding at the sample level, let's take it a step further and let's barcode at the molecular level."
This idea came from founder and CEO Sterling Sawaya when he was a postdoctoral researcher in biosecurity at the University of Colorado Institute for Behavioral Genetics, which is also where he first encountered Schumacher. Sawaya effectively started GeneInfoSec in 2016, though the company was not incorporated until two years later, after Schumacher and the other cofounder, COO Demetrius Nelson, came onboard.
"We saw the insecurity around genetic information systems and thought about what could happen if enough of this data was obtained by adversaries en masse," Schumacher said. "It kind of gets into a lot of sci-fi, futuristic stuff, but it's pretty scary nonetheless."
In addition to the three founders, GeneInfoSec has two security specialists, several marketing and development employees, plus three contractors for the recently launched security services business. A team of nine outside advisors includes a former high-ranking Pentagon official, information security specialists, and biotech industry veterans.
Schumacher said that the company has plans to grow, and understands that GeneInfoSec will be competing for high-demand employees in cybersecurity, privacy, biotech, and business development, even in this current, tough economy suppressed by the COVID-19 pandemic.
The three founders and some partners at the University of Colorado published a paper last month in Frontiers in Bioengineering and Biotechnology that described the perceived holes in current genetic information security. They also have posted a manuscript to the SSRN preprint site about the "weaponization" of genetic data by malicious actors that could have implications in national security, including biowarfare.
"Whether it's national security, personal security, personal privacy, it doesn't matter, especially where in the US we're this melting pot of many ethnicities and nationalities, if we don't have global genetic information security, then we are in for a scary future … where all of these vulnerabilities and risks and threats are going to converge," Schumacher said.
"What we're trying to do is really kind of bridge … cybersecurity and biology and bring resources to these people, help them start to operate securely and build security into their organizations, train their employees, and then perform testing and see where maybe holes are," Schumacher said.
Schumacher admitted that this molecular-level security is probably a few years away from becoming reality. "That's going to be some expensive R&D," he said.
"The molecular cryptography is under development [and] very expensive to implement currently, although it is possible," Schumacher continued. He said that company has built a prototype that works, but is expensive.
So far, GeneInfoSec has been funded by friends and family in what Schumacher called a "pre-seed round." Going forward, the company will seek both venture capital and unspecified government grants to ramp up its R&D.
"We're not going to put our eggs all in that [grants] basket, but we're hoping for some of that," Schumacher said. He said that the company has had discussions with potential industry partners as well as government and military groups "that would love tech like this."
This level of security may be something that military IT leaders would be interested in. Schumacher noted that the US Department of Defense has advised military personnel not to get DTC genetic tests for security and accuracy reasons.
He said that the company also is thinking about DNA computing and DNA data storage in the future, but offered no details.
In the meantime, GeneInfoSec is now testing what Schumacher called "pseudomolecular encryption," which is done at the software level after the generation of sequencing data. He said the software is in the early development stage now, but should be ready by the end of 2021.
As envisioned, the platform is "100 percent applicable" for a blockchain-type security use case, according to Schumacher, but that is not what GeneInfoSec is currently looking at.
"What we're saying is that we're not changing the behavior in the lab. We're not changing the data output," Schumacher said. "We're simply changing some of the methods for the preparation of those DNA libraries, and we're changing some of the software that would be used on the back-end analysis."
A key change to a standard sequencing workflow is that data controllers and processors would be managing unique IDs for each molecule, not just for each sample. Some back-end analytics would be affected as well, according to Schumacher, because there are so many extra data points.
The designated data controller would be the only one to own the "keys," namely the bar codes, that match data to specific molecules and samples, and decides who gets access to this information.
Included in GeneInfoSec's plans is an option to add decoy data to samples for an additional level of encryption.
Schumacher said that this is the same idea as a one-way hash function, a cryptographic technique that generates digital signatures in a way that makes it near impossible to derive the original data from. The "source of truth" is stored elsewhere.
"Those are fundamental to security," Schumacher said. "You are essentially now encrypting or concealing information, but then also you can actually now trace the integrity of that information." He called it "obfuscation to the max," but said that is just an extra level of security.
"We never rely on obfuscation, but we add the obfuscation by adding information, concealment, and encryption, and that could be done in the physical upfront DNA library prep. That could be done on the back end after the data is generated. That could be done while the data is being generated. There's a lot of places where that could occur," Schumacher said.
To provide access to data on the research end, the company also is developing software that Schumacher likened to a "modified secure key-storage infrastructure" for decoding.
Schumacher said that the target market is any laboratory that generates genetic data.
The current pandemic presents an ideal use case. Schumacher said that having genetic data on COVID-19 tracking, patient response, and vaccine development widely available has been highly beneficial to researchers and clinicians everywhere.
"Some of that information where you have the genomic sequence of a deadly disease that could be recreated or could be modified, maybe we don't want the whole world to have that," Schumacher mused. "So there are ways to lock certain data down."
Other potential customers include anyone generating or handling genetic data or any other protected health information, according to Schumacher. This could include hospitals or even breeding programs, which manage highly sensitive data, or even direct-to-consumer testing companies.
"We'd love to see that go to the end consumer, like with DTC genetic tests," Schumacher said. Stating his personal opinion, not necessarily those of GeneInfoSec, he said that he would love to see every human get genomic sequencing.
"They [would own] their own keys to unlocking that genomic sequence, and they could choose who to share what information with," he said.
This would put GenInfoSec into the realm of some personal health records companies, which promise consumer control over their own medical records, but which have failed to gain much of a market after more than 25 years of attempts. Schumacher said that this is not an initial focus of GeneInfoSec, but perhaps a longer-term goal.