When someone says “There’s no cause for concern, it’s only metadata” you can send them this:
Metadata, or “data about data,” is collected and recorded to describe data, identify trends, administer algorithmic solutions, and model potential scenarios. When one understands how to make sense of seemingly random metadata or how to pair the data with other exfiltrated data pools, there are limitless possibilities for social engineering and cyber exploitation in attacks that weaponize psychographic and demographic Big Data algorithms.
Today, ICIT has published a briefing entitled “Metadata: The Most Potent Weapon in This Cyber War – The New Cyber-Kinetic-Meta War.” In it, we offer an analysis of this underreported threat to our National Security though a comprehensive assessment of how meta-exploits are hyper-evolving an already next-generation adversarial landscape. This includes discussions on:
- How dragnet surveillance and retroactive legislation impede cybersecurity
- How S.J. Res 34 allows ISPs to undermine national security and privacy
- How Meta-Exploits expedite nation-state attacks on critical infrastructure
- How Meta-Exploitation:
- of Big data and metadata augments extremist recruiting
- of Niche personnel enables cyber-kinetic attacks
- Unmasks users with psychographic and demographic algorithms
- Transforms remote contractors into insider threats
- Undermines democratic institutions
- Impedes financial systems
- Precisely tailors disinformation and fake news
- Disrupts energy systems
- Can cripple the healthcare sector
You can download the paper here: http://icitech.org/icit-brief-metadata-the-most-potent-weapon-in-this-cyberwar-the-new-cyber-kinetic-meta-war/
Dragnet Surveillance and Retroactive Legislation Impede Cybersecurity
The combination of dragnet surveillance initiatives and retroactive legislation drastically increase the availability and attainability of exploitable microscopic and macroscopic data pertaining to consumers every online action and decision. Hacking is a resource-intensive grind in which copious exploits work, but few remain functional for long. Naturally, as vulnerabilities are leveraged, or exploits are sold, defenders become aware and develop mitigation and remediation strategies to secure infected networks.
Adversaries are regularly able to find new vulnerabilities to exploit due to the architectonic chaos that plagues the prototypical organizational IoT microcosm. The volume of cyber-attacks continuously increases due to the hyper-evolution of the adversarial landscape and due to the stealth and sophistication of the malicious actors, who become more precise with the direct cyber-kinetic targeting of critical infrastructure executives with elevated privileges. Esoteric and scarce zero-day exploits are no longer essential for the success of a cyber campaign. Instead, adversaries have a new and accelerated focus on the curation of metadata because no matter how much they invest in personnel and training, organizations cannot reduce their reliance on people, and people’s characteristics are difficult or impossible to change.
Metadata enables the success of direct and indirect exploits in all critical infrastructure silos in every major nation because it exposes systemic operational vulnerabilities and it facilitates the bypass of ingrained cyber-hygiene defenses. There are limitless possibilities for social engineering and cyber exploitation when one understands how to make sense of seemingly random metadata or how to pair the data with other exfiltrated data pools in attacks that weaponize psychographic and demographic Big Data algorithms.
Metadata is the New Exploit
Metadata, or “data about data,” is collected and recorded to describe data, identify trends, administer algorithmic solutions, and model potential scenarios. It is categorized as descriptive (identification details), structural (combination and container details) and administrative (creation, technical, and access details). Some metadata, such as that generated from telecommunications, can trivially re-identify parties [1]. That two entities are communicating or have communicated in the past might be valuable information. Other metadata, such as web-browsing info is supposed to be rendered significantly more difficult to use in re-identification methodologies. Social media and online networking sites, applications, and services already associate user profiles, activities, behaviors, and expressions to psychologically manipulate customers to behave in certain ways, absorb specific content, or believe particular details. NSA General Counsel Stewart Baker has been quoted saying, “metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content” and General Michael Hayden, former director of the NSA and the CIA, adds, “We kill people based on metadata” [1]. If nothing else, metadata enables operators to identify significant sets and associations within greater Big Data stores [2]. Recent legislation, such as mass-surveillance and data sale bills in multiple countries including the United States, has increased the risk that metadata poses to Internet users by allowing or requiring private entities such as ISPs to exchange consumer-centric information with unknown and unregulated third-parties.
Typically, when networks sell data, what they are actually selling is targeting of a particular sub-segment of a market on their platform [3]. ISPs cannot do that because they lack a platform to deliver specific ads to specific consumers. Data will have to be conveyed. Further, due to data leakage, insecure ISP servers, and increasing market viability and interest in consumer data sets, it is only a matter of time before Internet users suffer increased adversarial exploitation tailored to their online activities.
S.J. Res. 34 Allows ISPs to Undermine National Security and Privacy
S.J. Res. 34 is a 124-word bill (accompanied by a 40-word title) that in its entirety reads, “This joint resolution nullifies the rule submitted by the Federal Communications Commission entitled "Protecting the Privacy of Customers of Broadband and Other Telecommunications Services." The rule published on December 2, 2016: (1) applies the customer privacy requirements of the Communications Act of 1934 to broadband Internet access service and other telecommunications services, (2) requires telecommunications carriers to inform customers about rights to opt in or opt out of the use or the sharing of their confidential information, (3) adopts data security and breach notification requirements, (4) prohibits broadband service offerings that are contingent on surrendering privacy rights, and (5) requires disclosures and affirmative consent when a broadband provider offers customers financial incentives in exchange for the provider's right to use a customer's confidential information.” Those few sentences undermine consumer privacy and radically redefine the cyber-threat landscape against every critical infrastructure silo. S.J. Res. 34 allows ISPs such as Comcast, Time Warner, Verizon, T-Mobile, etc. to sell consumers’ IP addresses, Internet search histories, temporal data (when a user is online, for how long, the time between clicks, visit duration, etc.), and other metadata. Most importantly S.J. Res. 34 removed requirements that Internet Service Providers: protect data from hackers during storage, transmission, and processing; notify consumers of security incidents that jeopardize their data; and prohibit the unconsented exchange of consumer metadata with private entities [5].
The legislation manifested from ISPs envy of social media and search engine user-data monetization models. Telecommunication companies were barred from participating in these schemes that trade “free” services for customer information for ad revenue because ISPs capture and process significantly greater quantities and drastically higher detailed information than other online organizations. Their argument that they should enjoy the same liberties and accountability standards as companies like Facebook and Google is intentionally deceptive. Though massive, the aforementioned digital platforms cannot access or capture users’ entire online browsing sessions. They can only monitor user actions on that particular outlet or affiliated sites. Further, social media and search engine companies exchange economic incentives in the form of utility and convenience for users’ data under the express understanding that provided information may be used for targeted advertising or shared with third-parties. Users have some level of choice and consent in what information is provided and how it is used. ISPs offer customers no such additional value. Before restrictions on the sale of consumer data and in the time following S.J. Res. 34, customers will not see a decrease in their Internet and telecommunication bills. If anything, services will continue to increase based on inflated rates that feed profit lines instead of securing consumer data or modernizing decrepit infrastructure. Consumers can choose what information to share on each social media or search engine with which they engage. If the data-price exceeds the user willingness-to-pay, then they seek an alternative or abstain.
Access to the Internet is not comparable. Consumers already pay ISPs exorbitant fees for slow data-exchange-rates and notoriously shoddy customer service. Most do not have any choice in ISP because entire regions lack any alternatives or competition. Meanwhile, telecommunication companies can inspect, monitor, capture, and sell nearly every macroscopic and microscopic datum.
Without S.J. Res. 34, ISPs would have to develop enticing and innovative multi-leveled service platforms to compete with Google, Facebook, and other tech incumbents in the free and fair market. Under S.J. Res. 34, consumers are paying ISPs every month to eventually sell their data to plentiful unknown buyers and resellers to be used for unknown purposes, to be stored on unknown servers with unknown security, and to further transmit to parties unknown. While some nation-state affiliated firms will legally purchase data, most threats cannot and do not need to do so. Every time a script kiddie, cyber-criminal, or cyber-mercenary infiltrates a public or private sector system, they now have the opportunity to potentially exfiltrate detailed metadata as a secondary objective. Each purchase of metadata sets from an ISP by a legitimate company carries the risk that either that organization’s systems are or will be compromised, that the entity operates in part or whole on behalf of an adversarial nation-state, or that a malicious insider could access and steal the information.
Meta-Exploits Are Hyper-Evolving an Already Next Generation Adversarial Landscape
Meta-Exploitation Expedites Nation-States Attacks on Critical Infrastructure
The Chinese state-sponsored Deep Panda APT exfiltrated 22.1 million granular-detailed 127-page SF-86 forms in the 2015 OPM breach. The incident will haunt the U.S. for decades because the entire clearanced workforce may already be subject to compromise by the Chinese government. The forms contained the demographic and psychographic information of critical infrastructure personnel and clearance applicants. The stolen information can be aggregated with other data stolen by Deep Panda and affiliated groups, in a custom database of American critical infrastructure personnel. The information was not encrypted in OPM’s system and the only deterrent to establishing a “LinkedIn for espionage and blackmail” is the sheer quantity of data; however, recent advances in Big Data analytics and machine learning will reduce the computational expenditure of leveraging the data [4] [6].
Artificial Intelligence algorithms can combine the data already exfiltrated in the OPM, Anthem, and other incidents with the excessive stores of metadata purchasable from U.S. ISPs. In China, organizations are either owned by the state or are subject to the management of one or more government liaisons who have administrative authority [4]. The Chinese Government can acquire metadata legally through layers of shell companies or foreign branches or by deploying one of around a hundred advanced persistent threat groups to exfiltrate the data from a poorly secured data broker, ISP, or federal agency. In combination with the SF-86 forms, AI can be used to de-anonymize metadata to identify critical infrastructure personnel based on their psychological and web browsing profiles or it can be used to detect vital personnel who have become vulnerable in the years after OPM. Browsing histories that reveal frequent visits to gambling sites, multiple credit card pages, loan applications, or even dating sites, could indicate that a federal employee could be ripe for financial blackmail or transformation into an intelligence asset [6].
Article by Institute For Critical Infrastructure Technology
See the full PDF below.
Save
