As an adjunct professor who teaches cybersecurity, one of the most frequently asked questions I receive from both students and audience members to whom I speak is: What, from a cybersecurity standpoint, keeps you up at night? For about the past five years, my answer – which I will give after a short lesson to the reader – has not changed. In fact, my view (read: answer) has been instantiated by relatively recent and ongoing events. But first, that short lesson!
A universal paradigm used as a foundation for teaching information assurance is the Cybersecurity Triangle.[i] [ii] The three components comprising this equilateral triangle are (1) confidentiality, (2) availability, and (3) integrity. Simple, operational definitions follow:
- “Confidentiality” (simply) means keeping the wrong people from receiving information/data (hereafter, referred to solely as “data”) meant solely for authorized users of these data.
- “Availability” (simply) means getting data to the right people when they need it.
- “Integrity” (simply) means knowing the data that has been requested and received has not been altered, and is true.
As stated above, the triangle is equilateral, meaning all three components are meant to be seen as equal. However, I will now argue and demonstrate that, in my view, they are by no means equal and that one “corner” should be treated as paramount within the maintenance of a network’s cybersecurity posture for the long-term health of the enterprise – and the winner is … Integrity.
I will start first with what I feel is the easiest component to eliminate (from the three). A user and/or network administrator will know immediately if the availability of requested data has been affected. How? Well, the data requestor will not get the data requested. Simple enough. Once a lack of data availability is observed, it is just a matter of those responsible for network upkeep to conduct a logical backtrack that will produce a number of areas where the root fault may have occurred and can, subsequently, be fixed.
Regarding confidentiality, a network breach in confidentiality may also (but not always) result in a public acknowledgment of the unauthorized disclosure, thus allowing network administrators to be aware of the exploit. Regardless of how disruptive this open disclosure may be from a reputational standpoint, once this situation is known to exist, this “leak” may be addressed immediately, again by logical backtracking that will eventually aid in “plugging the hole.” There may also be a resultant change in the victimized enterprise’s internal practices to ensure any exploits associated with the vulnerability can be successfully mitigated going forward.
And now, integrity. The reason why I hold integrity as the highest form of threat is if a stealthy, malicious actor wishes to remain silent concerning the altering of data on a targeted network, there may never be any way the owners of the victimized network will ever know that administrative and managerial decisions for the enterprise were made using faulty information that was altered on purpose. Outcomes from these and non-malicious data integrity issues, for example, could cause developmental failures during vital (and costly) research and development ventures,[iii] logistical snafus if geo-location or coding data is errant in global positioning applications,[iv] or perhaps even have mortal implications if health records are skewed.[v]
Further, there is an aspect of immediacy in time orientation where once a shortcoming is seen for issues rooted in data availability or confidentiality; these issues can likely be addressed with immediate action and in a manner where control over related variables (i.e., network operations, necessary expenditures, accesses, etc.) is regained. In contrast, issues rooted in information integrity may take years to discover and offset, that is if they are ever found at all. Time orientation is a key characteristic, in my belief, regarding the relative importance of ensuring data integrity, especially in support of strategic (read: long-term) endeavors.
So now I owe the reader an answer to the initial “Cyber 2019” question that prompted this missive: “What, from a cybersecurity standpoint, keeps me up at night?”
The answer: A likely reason why any sophisticated, malicious cyber actor – with anti-American intent – would conduct just one successful bout of network or data integrity compromise but choose to keep that achievement secret, thus saving disclosure of the event for some future time.
In my view, this likely reason for choosing to disclose a hack in such a manner would be to wait for the moment to optimally and further irreparably destabilize the confidence in a trusted system when that system was already in a weak state.
*Note: Before we go on, I wish to make some admissions: I am neither an attorney, nor am I an administrator for any systems of record used in U.S. legal proceedings. The reasons for these admissions will be clear soon enough.
What happens when a malicious actor is NOT motivated by money, and the goal of a single hack was to show that a network reputed to be highly defended, in fact, could have just one file altered in an ostensibly minuscule manner? This “event” may still not register “high” against the typical security manager’s threshold of urgency given all other strikingly conspicuous, malicious cyber activities likely occurring at the same time. Now, please imagine that this network and the supporting databases where this one file was altered house data on, for example, fingerprints or other evidentiary information used to prosecute cases in U.S. courts of law (regardless of the governmental level (i.e., state, local, county, etc.). It is my belief that a malefactor to U.S. interests might attempt to use such a scheme to torpedo confidence – held by the citizenry – in the due process that should be afforded, by law, to all Americans.
For those who believe my supposition is just hyperbole, I offer the relatively recent and provocative examples of U.S. election outcomes, at all levels of government (i.e., federal, state, local, county, etc.) held over the past four years. A popular view that ostensible, irrefutable evidence demonstrates malicious cyber actors may have and continue to manipulate election results and influence outcomes perfectly illustrates how a mythology has exploded into existence to challenge the reliability of an entire sector of U.S. infrastructure like never before. Some media outlets have also propagandized a connection between (1) a supposed decline in trust in the electoral system[vi] [vii] and (2) hurtful (i.e., violent and reputational) impacts from protests by both frustrated law-abiding citizens and volatile fringe groups located throughout the country.[viii] [ix] [x]
If the reader can entertain that my views may have some merit, then I now ask them to think about what would happen if, for example, a foundational system of record used to undergird U.S. jurisprudence, due process, and societal harmony could successfully be challenged just once as being inaccurate (due to malicious compromise) resulting in a dismissal or overturning of a previous legal decision? Now think of the overturning of that previous ruling occurring at a time of great pessimism or civil dissonance. To what extent would or could this negative sentiment be amplified by COMPLETE SOCIETAL DISTRUST IN ANY EVIDENCE PRESENTED AGAINST OR SUPPORTING EITHER SIDE IN A COURT CASE?
I honestly do not know the number of those persons who have been (correctly or wrongfully) convicted, but I would wager every defense attorney worth their salt would be filing motions of appeal on behalf of their clients due to this new “finding” from the time the network or data integrity compromise was calculated to have occurred. A precedent would now be set for arguing against the admissibility of any evidence that had been recorded on the compromised system of record, followed with the likely‑to‑be-commonly posed question: “If the steward of the affected system of record did not catch the slight (but impactful) compromise in digital file integrity once, how do we know that [my client’s] file was not also affected, your honor?” This situation could be used to potentially exonerate the guilty, meaning no justice for their victims, or – even worse – cast suspicion on the innocent (with altered data now viewed as inculpatory towards law-abiding citizens). The hope would be that existing redundancies in place (i.e., back-up servers, etc.) could help answer such queries with utmost certainty, but hope is not a strategy.
Further, technical mitigations used to correct any discovered network operational shortcomings may not be enough to dissuade future jurors and jurists that the network was now sufficiently hardened; the stain of having been compromised could remain and be influential in rulings, especially if standards for forensic outcomes were non-existent and differed from trial to trial (as they do in the UK).[xi]
Such outcomes are why, I believe, a malicious actor would wait to hold onto an invaluable screenshot or file acquired from a hack, never repeat the process that led to the compromise, and only later broadcast the evidence of the hack at an opportune time (for that malicious actor). Nothing increases the likelihood of a malicious cyber operation being discovered by network administrators like the observed repetition of a technique. Therefore, the “value” in abruptly destabilizing-at-will the society of an adversary or global competitor might be considered too great to risk by continuing the malicious cyber campaign that had resulted in the “golden grab” of the screenshot after a possible data integrity compromise.
In a movie of which I am very fond called The Peacemaker, Nicole Kidman and George Clooney play a nuclear scientist and a U.S. Army special operations officer, respectively, who must track down a stolen tranche of nuclear warheads that may be used against the United States. During an exchange, Clooney’s character comments that malevolent people require [the (monetary) price to be right] in order to commit to such potentially horrific acts. Kidman’s character disagrees, and responds by saying she is [not scared of the person who wants a tranche of warheads, but is absolutely terrified of the person who just wants one]. Whether it is just one kinetic weapon of mass destruction or just one weaponized digital file (or screenshot) that could precipitate catastrophic, societal destabilization, I fully concur with her statement.