Intelligence leaders are worried that the next front in malicious cyber activity will be efforts to deliberately manipulate data, altering a hacked system in such a way that users will unwittingly rely on false information.
At a Senate Intelligence Committee hearing Thursday, National Security Agency director Michael Rogers counted manipulation among the three kinds of cyber activity that concern him the most going forward.
“At the moment, most of the [malicious cyber activity] has been theft,” Rogers said. “But what if someone gets in the system and starts manipulating and changing data, to the point where now as an operator, you no longer believe what you’re seeing in your system?”
Rogers’ comments echo Director of National Security James Clapper, who raised some eyebrows with a similar warning at a House Intelligence Committee hearing earlier this month.
“I believe we’ll see more cyber operations that will change or manipulate electronic information to compromise its integrity,” Clapper said.
Experts say that while they haven’t seen many hacks that intentionally alter data yet, as security systems get better and hackers are forced to get more creative, manipulation is a likely new cyber vanguard.
“I definitely think that’s something that will happen in the future,” Jordan Berry, a threat intelligence analyst with the security firm FireEye, told The Hill.
Security experts classify different kinds of cyber attacks into several largely agreed-upon buckets, depending on which of three well-established principles of data security has been compromised.
Data is considered “secure” based on access, integrity and confidentiality.
The wholesale pilfering of federal records from the Office of Personnel Management, for example, was a breach of data confidentiality. Users’ private data was exposed to the wider Internet.
DDoS attacks that spam a Web site with an overload of traffic and force it to shut down have an impact on access to data.
Data manipulation is a perversion of the integrity of data. Such an attack might take many forms — and victims may not even know it’s happening.
Criminals might fudge data to game the stock market to their advantage — make a stock appear to be increasing in price when it’s not or falsify earnings reports, for example — or undercut and therefore damage the backbone of the trading system itself.
“We’ve seen this a couple of times,” said Todd Feinman, CEO of data classification and security management firm Identity Finder. “Somebody will be hacked and the hackers will change a bunch of numbers — fives will become fours, for example. Now, the company is relying on that data, not realizing it was compromised.”
Other forms of data manipulation have both economic and national security implications.
In 2013, Syrian hackers took over The Associated Press’ Twitter account, tweeting out that there had been explosions at the White House and President Obama had been injured.
In three minutes, the fake tweet caused a 150-point drop in the Dow and “erased $136 billion in equity market value,” according to Bloomberg.
“If you have something that’s well trusted like the AP Twitter account and you cast doubt, that immediately causes repercussions because people believe it,” Berry said.
From a technology standpoint, ingress into social media is probably low-hanging fruit for cyber criminals looking to affect an outcome through public misinformation — one of the likely uses of data manipulation.
“Social media is a great way to have an immediate effect if you’re looking for some kind of public misinformation,” Berry said. “[The so-called Syrian Electronic Army] was looking to cause a big splash. It had an effect on how we do business in the real-world sphere.”
The hack appeared to be, at best, vandalism and at worst, an attempt to intimidate and damage markets by a non-state actor, but intrusions that undercut data integrity have the potential to be a powerful arm of propaganda and false information by foreign governments, experts say.
“For instance, if some hot flash reports are coming from an event and a nation state has in-between access from on-the-ground reporters to people who are receiving that information, and they want to change the perception, they can change those reports before they reach their final destination,” Berry said.
Because data manipulation doesn’t restrict access to documents, organizations may not even notice that someone has tampered with their data.
“If organizations don’t see gigabytes of data leaving their networks, they may not understand or know that someone has tweaked their financial report,” Berry said. “It may be something that’s more subtle than an outright data theft attack or deletion.”
Feinman notes that companies that are the victim of data manipulation hacks could still be held accountable by regulatory agencies.
Both the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC) have brought recent cases against firms with lax cybersecurity.
In August, a federal appeals court ruled unanimously that the FTC could go forward with a lawsuit alleging that the Wyndham hotel chain did not do enough to safeguard its customers’ personal data.
On Tuesday, a week after the SEC issued a risk alert that it would be continuing its increased scrutiny on broker-dealers and advisers’ cybersecurity, the agency charged an adviser with failing to adopt a written cyber policy to guard its customer records and information.
Registered advisers are required by the agency to create policies that, among other things, protect against “any anticipated threats… to the security or integrity of customer records and information” and “unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.”
Both Berry and Feinman caution that while attacks that compromise data integrity have not ramped up yet, data manipulation is still likely to evolve into a very real threat.
“Once we see a sophisticated nation-state actor do this kind of thing, cyber criminals and others are soon to follow," Berry said.
The rapid proliferation of cloud computing use may contribute to a rise in both malicious and accidental data manipulation, Feinman says. Because more individuals will be editing the same information, the opportunities for either unintended alterations or spurious break-ins that result in revision are inherently higher.
“As companies create multiple copies of the same piece of data, we’ll see more data manipulation because there’s more targets for [hackers] to go after,” Feinman said.