A few days ago I reported on the theft of some outdated employee information from the Department of Homeland Security and the Federal Bureau of Investigation.
The data, which included names, titles, email addresses and office phone numbers of employees, was of limited use to someone attempting identity theft. However, the less known fact is that it could actually be a windfall for a foreign intelligence agency.
That’s because when combined with other data from a broad variety of sources it can be used to paint an accurate picture of individual government employees in extreme detail.
It works like this: A hacker commits a breach into a government site and either posts the list of names for free, as was the case with the DHS and FBI data, or attempts to sell it, which is what happens with more valuable data such as health care records and credit card accounts.
An astute intelligence agency acquires the data, regardless of the source, and hangs on to it. As new breaches happen, the agency gathers potentially related data that is included in what has effectively become a vast data warehouse of government employees.
This compilation of personal information is bad enough, but when the bad guys perform data analysis, the risk to national security skyrockets. This is why “national security has to begin with cyber,” said Dipto Chakravarty, senior vice president of engineering for security at CA Technologies. Chakravarty said that cyber-security is the hardest challenge for national security.
“I think what happens is that stealing data is easy,” Chakravarty said. He pointed that information on how to find the various successors to the now closed Silk Road underground market is readily available on the dark web.
Once data, such as the employee lists stolen from the Department of Justice, is combined with other readily available information, the data can tell some important stories. He said that with big data analysis tools, it’s easy to find a person’s patterns and habits, where they routinely travel, how they spend their money and any activities they’re involved in that could make them subject to exploitation.
Here’s an example of how this all might happen. A foreign intelligence service perhaps has a list of employees for a critical government agency, such as the National Security Agency, which could have happened, since the health insurance plan used by that agency was breached two years ago.
The foreign intelligence analysts compare that list against credit card activity available because of a different, unrelated breach. That credit card data reveals a series of hotel stays and restaurant charges in an overseas location that the staffers being examined don’t normally visit.
When a few other employees of the same agency are examined, they also exhibit related activities in the same location, perhaps charges at nearby hotels or dinners at the same restaurant.
Big Data Analysis Makes Breaches a Greater Threat to Cyber-Security
Airline records obtained in a breach would confirm when those employees have traveled and where they came from. Suddenly, you now have the beginnings of a picture of some operation that this agency has carried out.
While such travel data won’t reveal a purpose of that hypothetical meeting, other information could. For example, if you have the person’s job title and work location, as you would have had from the FBI data breach, then you’d know if there might be a meeting on a topic within their specialty.
Compare that with other hotel stays and other airline arrivals, and you might be able to see whom they’re meeting with. While this may sound like a large collection of a lot of tiny details, this is exactly the sort of analysis that works best with big data. All you need is access to many small details over a lot of data.
“You can predict what they’re going to do, where they’re going to be,” Chakravarty explained. He said that with the right data, you can understand a person’s behavior and their motives and from that you can usually determine their intent. “We get so paralyzed by an ocean of information,” he said. “Most people don’t know what to ask for.”
Part of the reason many people don’t know what to look for is because they’re looking for the wrong thing. While there are plenty of specifics that might be useful on some level, it’s the big picture that really shows up if you know how to look for it. That technique is called data looming.
Just as a loom is used to create patterns into woven fabric, data looming is a way of looking at big data to reveal patterns inside data. If you examine all of that data that’s been gathered, it’s possible to find those pattern and then discover actions or vulnerabilities that may not appear by examining each data set separately. But this is only possible with enough data.
The national security challenge, then, is to deny the bad guys the data they need to perform their data looming, to make it impossible to discover those patterns in the data. Without those patterns, it becomes much more difficult to determine how those employee records fit into an overall picture.
Unfortunately, with the low level of security currently being displayed by the U.S. government, the data needed for big data analysis or data looming is far too easy to get. While it’s unlikely that President Obama’s $19 billion cyber-security project will make it through Congress, the need is there even if the method is wrong.
Cyber-security is critically needed, of course, but it needs to start at the retail level, one agency, one credit card provider at a time. That big effort is probably doomed, but lots of small efforts would make a bigger difference anyway.