James Scott, senior fellow and cofounder, Institute for Critical Infrastructure Technology

James Scott, senior fellow and cofounder, Institute for Critical Infrastructure Technology, explains which aspects of critical infrastructure remain vulnerable and how organizations can take the next steps to protect themselves. He dives into the cyber-kinetic-meta war and how metadata is being used as a prime weapon against American critical infrastructure.

To hear this interview on The Peggy Smedley Show in its entirety, log onto www.peggysmedleyshow.com, and select 10/03/17 from the archives.

Smedley:
So let’s talk about the most critical infrastructure right now. What’s your take on what we have to worry about? What’s happening right now?

Scott:
Yeah, well, a lot. We have critical infrastructure … the critical infrastructure silos that I think are most fragile. First and foremost is the health sector. The second is probably the energy sector, and the third, which is rapidly on its way to the second, is the financial sector.

One of the biggest problems that we have right now for national security and critical infrastructure resiliency are dragnet surveillance capitalists. These are corporations that have plug-and-play dragnet surveillance on the population like Equifax, TransUnion, Google, Facebook, and Twitter. What they do is they curate your metadata and then sell it. So people can sell you things, but the problem is their treasure troves of data are not secure. Therefore, bad actors such as nation-states and hacktivists will get into their networks and exfiltrate pre-scrubbed data that they can then plug into, for example, big-data analytics for psychographic targeting, which is where we have the fake news problem, the propaganda, and the digitization of influence and information warfare.

Smedley:
What we’re talking about is where data is searching data. These identity trends and potential scenarios that we’re seeing out there. A lot of things are happening, correct?

Scott:
Yeah. The problem was simply a privacy problem before. But now it’s a national security problem because it was never dealt with. It’s cyber kinetics, so we have cyber warfare. We had traditional warfare, which was pretty much kinetic, but now it’s elevated to a cyber kinetic, meta-war space—and you look at NATO, you look at our intelligence community, European Union.

Everyone’s grappling with this new space right now to the point where our Institute had to open a center for influence operations studies, which is part of our congressional advisory and the intelligence community advisory, where we’re showing how this data that’s been exfiltrated from unprotected critical infrastructure systems is being used against us for all types of influence warfare and the technical component is also difficult. But that’s become part of the problem as opposed to the main problem.

The easy process that, even a script kiddie can spearfish, a critical infrastructure executive who has elevated privileges that they found on LinkedIn, for example, was a malware variant that has something like a key logger, just a basic compilation of tools. And they can then proceed to hijack their social media accounts, you know, get into their network, move laterally throughout their network. Find those treasure troves of data.

And not just exfiltrate, but what we’re going to see, for example, with the Equifax in the financial sector, the Equifax breech, you can no longer trust a single ounce of data from Equifax because part of the attack plans for any adversary is to not just exfiltrate, but alter the data from its original form. So 100% of the data that was in Equifax’s databases can no longer be trusted right now.

It’s funny because I’m down here, we’re a DC-based think tank and the Equifax hearings is going on. And I think today everyone’s just trying to vent on the panel. I think there’s three more hearings. We get in and help to write some of the questions with the representatives. And I’d like to really see them dig deeper and really push for, not just answers, but reform. And it’s getting to the point where from the perspective of dragnet surveillance capitalists, some of these people need to start going to jail. And our advisory is definitely pushing for that. So they need to take protecting the IoT (Internet of Things) microcosm around our organization more seriously or else it’s not just a lawsuit that you’re looking at, it’s a C-suite executive, it could be a striped uniform in a prison cell, hopefully.

Smedley:
I think what we’re talking about is when metadata now becomes this potent weapon for adversaries who want to attack American critical infrastructure that you’re describing—whether it’s healthcare or it’s your energy. I mean it’s changing the data in such a form and it can go back years and modify things that the traceability of that is mind boggling.

And if the CEOs aren’t held accountable, that’s where the problem really comes in is what you’re saying. That’s where the prison needs to be considered. Somebody’s got to really be paying attention, here.

Scott:
Yeah, we have to make an example of Equifax. They have to be what everyone looks back to and says, “Hey, I’m a CEO, I knew about this breach, but we didn’t tell the consumers who were victimized.”

They then tried to revictimize their victims by selling them … by giving them a free service for one year that I guess it auto-charged the customers a second year, but initially anyone that agreed to that, they couldn’t file any class-action lawsuit against them. Very, very underhanded in a difficult situation like this.

You know, if you look at hospitals and things like that where there are so many treasure troves of electronic health records, I think that this sort of thing could migrate over there rather easily. Because of what we’re seeing on the dark Web with the sale of electronic health records, EMR, (emergency medical records) and what can be done with that. The thing that’s getting dangerous is … what actors used to do is simply go to a domain, use an email harvester, and harvest all the emails that are attached to that domain, and then send a spearfishing attack with a malicious payload in order to get at least one recipient within that company on that network to click. That’s really all you needed.

But now, people are taking a more Czech style, Russian approach to the attacks and what they’re doing is targeting the attack in such a way that in an organization, they may only spearfish … like for example an admin at a manufacturer for voting machines. If you’re just concentrating your effort on the admin who has access to that update server for all their machines and you want to poison that update before that update goes out before elections. That’s what’s going to happen. So what they’ll do is they’ll take the Equifax data, they’ll take exfiltrated Comcast data, Facebook, whatever—pre-scrubbed. They’ll put it into big data analytics and run an algorithm that psycho-graphically targets literally the psychological core of the individual. So you know what their interests are, you know what Websites they go to, what their search algorithm is, their typing algorithm.

And so they will click. And when that happens, the payload that injects into their network. You set up remote access Trojans, and you have carte blanche capabilities on their network. Very scary. Very scary.

Peggy Smedley, host of The Peggy Smedley Show