Dangerous data: how information has been weaponised
The RSA conference in San Francisco heard of threats by botnets and connected devices
The weaponisation of information: Wars once fought on land, at sea and in the air are now being fought online.
Welcome to the age of weaponised information. As if you didn’t have enough to worry about, your smartphone and other connected devices could threaten the very fabric of society.
Scaremongering? Not in the opinions of the experts at the RSA conference in San Francisco last week, attended by some 43,000 security professionals.
The event was officially built around business-driven security – a term the organisers describe as an approach to “managing risk in an ever-changing cybersecurity landscape”.
Discussions were dominated by new and unprecedented security threats posed not only to businesses, but also to citizens, to infrastructure and to governments as a result of what some speakers termed the “weaponisation of information”.
The term was largely used in the context of nation-state cyberattacks, such as the Russian hack of Democratic National Committee emails during the US election campaign last year, but threats posed by botnets and the proliferation of connected devices were also prominent.
Democracy at risk
Michael McCaul, chairman of the House Homeland Security Committee said the Russian threat was about more than just espionage. That hack was the biggest wake-up call yet that cyber-intrusions had the potential to jeopardise “the very fabric of our republic”, he said. “Our democracy itself is at risk.”
The fake news controversies that also emerged from the US election are evidence enough that this isn’t an exaggeration. Wars once fought on land, at sea and in the air, were now being fought online, as Brad Smith of Microsoft put it.
But the “weaponisation of information” analogy might also apply to other contexts, such is the unstoppable growth in data and its potential.
Information may also be effectively weaponised through incompetence, through employee malice or through unidentified or unrecognised business risk. And whatever about malice, scandal after scandal shows a lack of awareness of the risks posed by personal data runs rife through many organisations, both public and private.
If organisations aren’t already treating their data as both a business asset and a risk, then they will be hopelessly unprepared for the new General Data Protection Regulation by next year – another issue which also bubbled under the surface in San Francisco. Rashmi Knowles, chief security architect at RSA, told The Irish Times she believed the level of awareness was still low.
Several speakers said the regulation needed to be an immediate issue at every board meeting in every company between now and May 2018, when it comes into force.
Terence Spies, chief technologist of Hewlett Packard Enterprise, noted that cyber-attackers not only had the ability to harvest business data from a single hack on a company; they could also glean information from competitors and from other industries, potentially building up correlations not even available to the business itself. Industrial espionage is yet another way in which information may become weaponised.
While the hacking demonstrations at such conferences can be the “fun” part, the ease with which millions of connected devices might now potentially be taken over by criminals is a deadly serious risk that may also require new and innovative forms of regulation. In the wrong hands, everyday devices, unbeknown to the owners, can become weapons in the form of botnets.
Fewer attackers may now do more damage because of their ability to scale such attacks, according to cryptographer Bruce Schneier.
He suggests regulation to address the rampant connectivity of devices is inevitable, and that it might be necessary to establish a state agency to create and oversee safety standards for “Internet of Things” devices.
His suggestion that internet-connected devices should perhaps carry a label identifying their properties and expected behaviour, along the lines of the regulation of food safety or medical devices, seems sensible enough.
Recalling the “collect it all” mantra of Keith Alexander, the former National Security Agency director, Schneier told the conference that governments and corporations were “still punch-drunk on data”.
We are now in the era of “connect it all”.
Under the guise of improving services for everyone, governments and public authorities – including in this State – are also finding new ways to gather and use data about citizens.
But used inappropriately, incompetently, without proper planning, without a proper legal basis or without appropriate governance, that data too becomes weaponised and open to abuse, manipulation or attack.
Information has always been used as a weapon. But we are light years on from former MI5 head Dame Stella Rimington’s spy tales at the conference, in which she described “blokes with kettles” steaming open letters in the 1960s.
The volume, velocity and variety of information – connected and analysed in innovative ways and by machines rather than by humans – now makes it infinitely dangerous, infinitely open to manipulation and to inadvertent disclosure or breach; it leaves governments, businesses and citizens exposed in new ways every day.
In the wrong hands, millions are lost, businesses collapse or come under regulatory scrutiny, and in the worst-case scenarios, lives are ruined.