Fouad’s “Cyberbiosecurity in the New Normal” attempts to elevate the digitisation of biology into a matter of international security. She is right that biology is now deeply digital, and that this creates new attack surfaces. Where the article overreaches is in treating these risks as exceptional, geopolitically novel, or strategically transformative in themselves. Most cyberbio risks today are not exotic or unprecedented; they are familiar engineering and governance failures appearing in a new domain. The danger is less hacked DNA than over-securitised data.

Executive Summary (TL;DR)

Fouad’s “Cyberbiosecurity in the New Normal: Cyberbio Risks, Pre-emptive Security, and the Global Governance of Bioinformation” is an ambitious academic attempt to bolt the language of international security onto the biotech/cyber mash-up we’re now calling “cyberbiosecurity”. Fouad frames this convergence as a potential strategic rupture demanding new governance regimes; this is where her analysis becomes politically interesting but operationally inflated.

She’s half-right. There is a real issue here — but not the apocalypse she hints at. Yes, the digitisation of biology creates attack surfaces: genomic data leaks, compromised sequencing pipelines, maybe even dodgy firmware in lab gear. Those are valid, boringly practical engineering problems. They’re solvable with the same discipline we already apply in regulated industrial systems — controlled environments, validated software, supply-chain security, audit trails, etc.

The rest of it — the geopolitical panic, the talk of “bioinformation as a global commons”, and the hand-wringing about Western hegemony — is less threat intelligence than governance critique. The supposed “futuristic” horrors (malware in DNA, rogue CRISPR sequences spreading through the network) are still mostly speculative fiction. There are, of course, proof-of-concept demonstrations — most notably the 2017 University of Washington experiment encoding malware in synthetic DNA to exploit vulnerabilities in sequencing software, and subsequent analyses of weaknesses in bioinformatics pipelines. These show that such attacks are theoretically possible. They do not show that they are practical, scalable, or strategically decisive in real laboratory or clinical environments today. The gap between demonstration and deployment remains wide. Interesting to discuss, but we’re nowhere near that level of convergence in the real world. The bigger issue right now isn’t a hacker re-coding a genome; it’s a lab technician running unpatched Windows — as illustrated by repeated ransomware incidents in pharmaceutical and biotech firms during Covid, and large-scale breaches of consumer genetic databases.

Fouad’s real contribution is political, not technical: she’s warning that cyberbiosecurity could become the next justification for state control, closed science, and data hoarding. That’s a fair point — once governments label something a “security” issue, collaboration dies. But in practice, most labs and firms just need competent infosec and regulatory hygiene, not a new UN treaty on DNA.

So: her fears are theoretically possible but operationally remote. The “new normal” she describes exists, but it looks a lot more like version-control problems in biotech data systems than cyber-Frankenstein. For engineers and policymakers who’ve been around real systems, this is less a warning from the future and more an over-extended thought experiment dressed up as policy analysis.

In short: not Michael Crichton-level sci-fi, but still more fiction than field report.

Contents

1. Introduction

In an era in which the life sciences increasingly converge with information technology, the terrain of security is being fundamentally reconfigured. Noran Shafik Fouad’s article offers a timely and incisive intervention into this evolving “cyber-bio” confluence: what she terms “cyberbiosecurity”. At its core, the article asks: how should we understand the governance of bioinformation in the new normal of post-Covid, digitally mediated science? How are threat discourses being co-produced with policy regimes, and what are the equity and power implications of framing bio-information as a strategic asset subject to cyber-threats? The article maps this terrain, critiques dominant framings, and issues normative guidance for treating bioinformation as a global common good rather than merely a national strategic resource.

This review takes Fouad’s argument seriously, but evaluates it from the perspective of cyber resilience, assurance and real systems: where threats are tested, mitigated, and governed in practice rather than theorised in the abstract.

2. Defining the Field: Cyberbiosecurity in Context

Fouad begins by tracing the digitisation of the life sciences: from genome sequencing, synthetic biology, lab automation, big-data analytics in biomedical domains, to emergent uses of DNA as storage medium. These developments signal a shift in the life sciences into an “infosphere” in which biological processes and data flows become cyber-mediated. The term cyberbiosecurity (or biocybersecurity) emerges in the life sciences literature to capture the cyber risks that arise from this digitised convergence: malware embedded in DNA sequences, corrupted gene-sequencing, compromised biomedical materials, theft of epidemiological data, or weaponisation of biology via digital intrusion.

What is particularly useful in Fouad’s treatment is her insistence that cyberbiosecurity must not simply be read as “cybersecurity plus bioscience”, but as a qualitatively distinct field that requires critical interrogation from International Relations (IR) and Security Studies perspectives. She argues, correctly, that although the life sciences literature tends to frame these risks in technically deterministic ways (e.g., “what if someone hacks gene-editing”), IR must shift the analytical lens to the politics of securitisation, threat-construction, and the global governance of bioinformation.

The difficulty is not that these risks are fictional, but that their framing often outruns their operational maturity. In practice, most cyberbio incidents collapse into familiar classes of failure: compromised software supply chains, weak access control to sensitive datasets, poor segmentation between lab automation and enterprise IT, and under-resourced governance. The convergence is real; the novelty is often overstated.

3. Threat Discourses, Pre-emptive Security and Governance of Bioinformation

A major contribution of Fouad’s article lies in its deconstruction of how cyberbiosecurity as a field is produced through particular threat logics and security imaginaries. She identifies three key security modalities in current cyberbio risk discourse: (1) the peculiarity of cyberbiosecurity – as distinct and even exceptional compared to established cybersecurity or biosecurity frames; (2) the futuristic framing of threats – scenarios that may not yet have historical precedent; and (3) a focus on high-profile, physically consequential threats (e.g., a hacked genome causing outbreaks) rather than the “mundane” or everyday risks.

On the first point, Fouad critiques claims that cyberbiosecurity is uniquely different, arguing that treating it as wholly separate risks reinforcing a securitisation dynamic rather than encouraging more reflexive governance. In terms of the second, she draws a parallel with earlier cybersecurity discourses (e.g., “Cyber 9/11”, “Cyber Pearl Harbor”) that emphasised catastrophic and unprecedented events­—warning that this can lead to strategic mis-focus, neglecting more probable risks. As she notes:

“Futuristic security framings that emphasise peculiarity and high-profile threats with potential physical consequences can overlook security approaches that consider wider societal implications of cyber-threats …”

The third modality matters for testing and resilience: by privileging spectacular scenarios, we risk under-investing in the kinds of systemic vulnerabilities that manifest more diffusely (e.g., vulnerabilities in genetic data pipelines, mis-configurations, supply-chain weaknesses in biotech instrumentation). This resonates with contemporary thinking in cyber resilience testing: the most dangerous events are not always the big bombs but the quiet failures of system integrity.

Fouad then turns to the governance of bioinformation. Here she emphasises that bioinformation is already subject to emergent securitised governance: nation-states, research institutions, biotech firms, and data hosts increasingly treat genomic, epidemiological and biomedical data as strategic assets. She highlights issues of equity, fairness, and geopolitics. For example, the argument that open access to bio-databases (an ideal of scientific collaboration) might be reframed as a “security risk” and thus subject to access restrictions, encryption regimes, licences or national-centric control.

Fouad flags three particular governance consequences:

• Access inequality: despite the rhetoric of open-science, many low- and middle-income countries contribute less data, are less able to upload sequences, and may face more hurdles in accessing bioinformation repositories.
• Superpower competition: bioinformation is increasingly embedded in the race for dominance in the bioeconomy, in precision medicine, genomics, AI-driven biology, and hence in populating all the associated supply-chains, infrastructure and standards. Fouad shows that state actors worry that losing control of such data will mean economic disadvantage or strategic vulnerability.
• Militarisation and control: when bioinformation flows are framed through national security lenses, rather than global health or shared science, the impulse is toward control, restriction, and national databases, rather than collaboration. Fouad warns this may undermine scientific progress, global health equity and the trust networks foundational to response capacities.

Ultimately, Fouad argues for a reconceptualisation of bioinformation as a global common good rather than merely as an object of national strategic control. She stresses that while cyberbiosecurity responses are valid, they must not collapse into a unilateral, militarised logic of defence that exacerbates inequalities or stifles open science.

4. Implications for Cyber Resilience, Testing and Assurance

From the vantage point of cyber resilience and test facilities, Fouad’s article offers several key insights.

Firstly, the convergence of biology with cyber means that testing regimes must increasingly incorporate the dual-nature of “bio” + “cyber”. Traditional cybersecurity testing focuses on networks, endpoints, identity, malware; while biosecurity testing focuses on lab safety, containment, pathogen oversight. Cyberbiosecurity demands test frameworks that address hybrid risks: for instance, how sequence-data pipelines are corrupted, how lab-automation software is manipulated, or how genomic databases are exfiltrated and misused. Fouad’s article foregrounds the need to move beyond siloed testing to integrated assurance regimes.

Secondly, Fouad’s critique of the “futuristic, catastrophic threat” logics implies that resilience-testing must not only simulate worst-case scenarios (e.g., a malicious synthetic-pathogen induced via hacked gene-editing), but also the “mundane” but systemic risks: mis-configuration of data access, supply-chain compromise of lab-software, insider threats in biotech contexts, weak governance practices in data sharing. The “new normal” that Fouad evokes is one in which disruptions may be quotidian, creeping, emergent rather than singular. Testing programmes should emphasise such scenarios.

Thirdly, in terms of governance of test-facilities and infrastructures, Fouad’s equity and global-governance perspectives suggest we should ask: who sets the standards? Who has access to the test-beds? Who retains control of the data produced? In the field of cyber resilience testing for life-science systems, this means designing facilities and protocols that are not only technically robust but socially and ethically conscious: ensuring that low-resource institutions are not excluded, that global sharing is enabled, and that national security logics do not crowd out collaborative health-security aims.

Fourthly, Fouad’s framing invites reflection on how we measure assurance in the cyberbio domain. Traditional metrics focus on vulnerability + mitigation; but in a hybrid cyberbio context, one might need to assess “data integrity of biological pipelines”, “attack surface in gene-editing workflows”, “resilience of automated biomanufacturing control systems”, and “governance-compliance of bioinformation sharing”. Test facilities might need to develop new modelling tools (digital-twin biologic systems, threat-injection into genomic workflows) to simulate and evaluate such risks. Fouad’s article, by exposing the architecture of threat narratives and governance regimes, provides a conceptual anchor for designing such test models.

Finally, on policy translation: Fouad argues that cyberbiosecurity must avoid re-producing a state-centric militarised framing that may hamper global cooperation and equity. For cyber resilience test-beds and assurance frameworks, this implies that we should engage with multistakeholder governance, embed open standards and transparency, and design protocols that underscore global common­goods (e.g., public health, scientific collaboration) rather than only national strategic defence. Testing infrastructures should facilitate not just detection of threats, but also enable trust, data sharing, and resilience across borders.

5. Critical Reflections and Open Questions

While Fouad’s article offers a rich conceptual critique and normative orientation, several further dimensions might warrant deeper probing in the context of cyber resilience testing.

One question is the granularity of threat modelling: Fouad rightly critiques the overly sensational framing of bio-cyber threats. Yet in practice, operationalising test frameworks for the less obvious risks she emphasises remains difficult. For instance, what empirical base do we have for “malware embedded in DNA” or “corrupted gene-sequencing”? While there is literature pointing to such possibilities, the frequency and tractability of such attacks remain contested. Thus, resilience test-beds must balance hypothetical/novel threats with empirical baselines of incidents and vulnerabilities. Fouad hints at this tension but further applied research could bridge the gap.

Another reflection concerns the interplay between data privacy, ethics and security: Fouad highlights genomic privacy and direct-to-consumer testing as early sites of cyberbio risk (e.g., genetic data breaches). However, in the resilience testing context, we must develop protocols not only for threat and intrusion, but for governance of consent, anonymisation, data sharing and cross-border transfer in the cyberbio domain. How do assurance frameworks incorporate ethical risk alongside cyber-technical risk? Fouad sets the normative case for this but operationalising it remains a challenge.

A third dimension is the issue of divergence in global capacity: Fouad shows that the governance of bioinformation is already unequal; many low- and middle-income countries face structural disadvantage in data generation, sharing and infrastructure. This suggests that cyberbio resilience frameworks may risk reinforcing global divides (e.g., only well-resourced nations or labs can implement advanced test-beds). How can test-facilities and assurance frameworks be designed to embed capacity-building, inclusivity and global partnership? Fouad’s governance argument implies this but the practicality is complex.

Finally, the question of normative framing: Fouad advocates treating bioinformation as a global common good, and resisting securitised national strategic logics. For cyber resilience testers and policymakers, this means engaging in normative design of architectures, governance frameworks and standards that reflect openness, trust, equity and scientific collaboration. The challenge is how to reconcile this with states’ legitimate interest in protecting sensitive bio-data and national health security. Fouad’s analysis charts tensions but less so the mechanisms of reconciliation (i.e., how to balance openness and security in practice).

The practical implication is that cyberbio resilience will be built less through imagining unprecedented attacks than through extending existing cyber-resilience disciplines — testing, assurance, governance and capacity-building — into biological data and automation contexts with proportionate ambition.

6. Conclusion

In sum, Noran Shafik Fouad’s “Cyberbiosecurity in the new normal” constitutes a landmark piece in situating the intersection of biology and cyber-security within the broader field of IR and security studies. It challenges the framing of cyberbiosecurity as a merely technical issue, emphasising instead its discursive, political, governance and equity dimensions. For those of us engaged in resilience-testing, assurance and governance of critical infrastructures—including emerging bio-tech systems—it provides an essential conceptual lens: we must attend not only to software, networks and data, but to the bioinformational flows, the global regimes of sharing and control, the equity dimensions, and the governance architectures that underpin them.

As the life-sciences become ever more entwined with digital infrastructures, the “new normal” that Fouad describes invites us to reconsider our test-beds, threat-modelling, governance frameworks and normative commitments. Cyberbiosecurity thus emerges not only as an operational challenge, but as a site of governance contestation, and a space where resilience, equity and global public goods must be actively upheld.

7. References

• Fouad, N. S. (2024). Cyberbiosecurity in the new normal: Cyberbio risks, pre-emptive security, and the global governance of bioinformation.
  • European Journal of International Security, 9(4), 553–573. https://doi.org/10.1017/eis.2024.19
  • Cambridge Review of International Affairs. Retrieved from https://www.cambridge.org/core/services/aop-cambridge-core/content/view/625CE08933DE3C0AE3ECBAF4698551A2/S2057563724000191a.pdf