How the Personal Data Markets Threaten National Security

This is the second of a three part series respectively covering the current state of the data broker industry, the threat it poses to national security, and a novel proposal for resolving these issues while maintaining or increasing profitability for data brokers.

 

As covered last week, the current market for personal data allows groups to easily and cheaply obtain detailed personal information on almost any U.S. citizen, including countries that might wish the U.S. harm. Not only could this give potentially hostile nations an espionage advantage over the U.S., but facilitate their attempts to influence popular opinion.

Both China and Russia have been implicated in bulk acquisition of data on U.S. citizens. U.S. officials have concluded that the 2015 Office of Personnel Management breach of over 4 million U.S. federal government employees, 78 million health records in the Anthem breach, travel records stolen from United Airlines, and data from other targets are part of a campaign intended to build a massive database of U.S. citizen records.

Given the historically close relationship between the Russian government and organized crime especially cybercrime one must also consider the possibility of state involvement in several breaches attributed to Russian hackers. This includes the 2015 theft of over 100,000 tax returns, 1 billion Yahoo accounts in 2013 only discovered in 2016 (and one of the buyers for whom lead investigator specifically believed “was potentially a foreign intelligence organization because the questions they were asking were very specific,”), the allegedly state-sponsored 2014 Yahoo breach of 500 million accounts, 117 million LinkedIn login credentials, and approximately 40 million credit card records through a series of breaches of retailors in which cyber criminals seemingly referenced American and European sanctions against Russia at the time.

The most conventional application for these data is for espionage. Not only could it be used to identify U.S. intelligence assets, it could point towards potential recruitment targets through blackmail, financial difficulties, ideological susceptibility, and/or facilitating personality traits. Fraudulent account or identity theft could also allow for infiltration of institutional and social networks for acquisition of additional information.

The less conventional threat it poses becomes apparent when one considers that the entire purpose of marketing data aggregation is to influence people more efficiently.

Russia has certainly demonstrated an interest—and apparent success—in mass influence of foreign populations. Recent Russian ventures have included influencing elections in the United States, the Netherlands, Germany, the Brexit referendum, and the Italian referendum though spreading fake news and (in the case of the at least the U.S.) cyberwarfare. Even outside the context of elections, Russia has sponsored sophisticated covert networks of trolls that spread both terrifying hoaxes and subtle propaganda. Large networks of Twitterbots have also been identified propagating pro-Kremlin narratives.

The use of personal data could make targeting and tailoring these influence campaigns more efficient. Its effectiveness in shaping public opinion is highlighted by how reliant U.S. politicians have become in using such data to fine-tune their messages to each audience, as touched upon last week. Even former skeptic of data’s efficacy, Donald Trump ended up using the services of firm Cambridge Analytica (which claims to 4-5,000 data points on 220 million U.S. adults, and even more when supplemented with the databases of larger firms), to build 100,000 web pages micro-targeted to appeal to specific voter segments. Clinton, of course, had her own extensive data mining and analytics operation,  and Obama’s was often credited with giving him a strong campaign advantage.

Outside of politics, personal data analytics applied to marketing have proven effective at increasing a company’s profitability, even though (as of the 2015 study) most companies implemented it inefficiently.

Algorithmic analysis of consumer data can make targeting even more efficient, as demonstrated by a 2014 Telenor/MIT study in which an automated marketing program used social network analysis to obtain 13 times the initial conversion rate of an experienced marketing team (that is to say, the people it selected as likely customers were 13 times as likely to buy services as the ones chosen by the human marketers), and 98% of the customers that the algorithm convinced continued to use it for the next month, compared to 37% of the ones successfully chosen by the human marketers.

As tools for converting personal data into persuasion continue to advance in sophistication, they will provide ever more potent weapons for public manipulation by hostile governments unless we can prevent our citizens’ information from falling into their hands.

Next week will cover how to keep our personal data out of their hands while improving the industry’s profitability and curbing its excesses.

FCC Adopts Broadband Privacy and Data Security Rules

Today, the Federal Communications Commission adopted new rules that apply to Internet Service Providers, but not “edge” providers such as Twitter or Facebook. (The Federal Trade Commission has jurisdiction over edge providers.)  The 3-2 vote divided along party lines.  The rules seek to protect consumer privacy and security. Here are some highlights.

Continue reading

Press Release: Indiana University Researchers Help Develop State-of-the-Art Cybersecurity Resource

Last week, the Center for Applied Cybersecurity Research distributed a press release on the Center’s contribution to the Software Assurance Marketplace (the SWAMP), a new resource tool for software developers that will help close critical security holes in their products.

___________

Researchers from Indiana University’s Center for Applied Cybersecurity Research and University Information Technology Services’ Research Technologies Division have contributed to the development of a new tool designed to help software developers close critical security holes in their products.

Cybercrime is booming; it is an estimated $100 billion industry in the United States and shows no signs of slowing down. Attackers have an arsenal of weapons at their disposal, including social engineering — or phishing — penetrating weak security protocols and exploiting software vulnerabilities that can serve as an “open window” into an organization’s IT environment. Closing those windows requires effective and accessible tools to identify and root out software vulnerabilities.

The Software Assurance Marketplace, or the SWAMP, has created a resource to address this growing need that was made publicly available and free to the software community this week.

Supported by a $23.4 million grant from the Department of Homeland Security’s Science and Technology Directorate, the SWAMP provides a state-of-the-art facility that serves as an open resource for software developers, software assurance tool developers and software researchers who wish to collaborate and improve software assurance activities in a safe, secure environment. From the very early stages of a project and throughout its entire life cycle, the SWAMP offers continuous, automated access to a rich and evolving set of assessment capabilities.
Continue reading

Upcoming Congressional Hearings on Cybersecurity And Identity Theft Bills

S.149 STOP Identity Theft Act 

The Stopping Tax Offenders and Prosecute Identity Theft Act (“STOP Identity Theft Act”), will be discussed by the Senate Judiciary Committee on Thursday (2/6/14). The bill, sponsored by Senator Amy Klobuchar (D-MN), amends the federal criminal code to make identity theft in relation to felony tax fraud an offense punishable by a fine or imprisonment for up to 20 years. The bill then directs the Attorney General to prosecute tax return identity theft using Department of Justice resources and through coordination with state and local authorities.

H.R. 3696 National Cybersecurity and Critical Infrastructure Protection Act

The full House Committee on Homeland Security is slated to markup the National Cybersecurity and Critical Infrastructure Act (the “NCCIA”) on Wednesday. Congressman Michael McCaul, the committee’s chair, is the sponsor of the bill. The NCCIA amends both the Homeland Security Act of 2002 and the Support Anti-Terrorism By Fostering Effective Technologies Act of 2002 (the “SAFETY Act”).

The amendments to the Homeland Security Act broadly define “cyber incidents” and then require the Secretary of Homeland Security to take a number of steps to protect, mitigate, and respond to these incidents. Additionally, the bill requires the Secretary to identify critical infrastructure sectors and recognize a Sector Coordinating Council (“SCC”) and an Information Sharing and Analysis Center (“ISAC”) for each sector.  The Act also amends the Homeland Security Act to establish the National Cybersecurity and Communications Integration Center to facilitate sharing of cyber threat information between federal, state, and local government, as well as ISACs, private entities, and critical infrastructure owners and operators.

The amendments to the SAFETY Act seek to limit the liability of technology providers in the event of a qualifying cyber incident.