“It’s all about the data” is a frequently used rallying cry in cyber governance circles. But perhaps the more accurate catchphrase would be, “it’s all about information integrity.” While the protection of data is at the center of cybersecurity, privacy, and internet functioning, most of us are end users of the information that data comprises. Approaches to cyber governance need to give more prominence to the concept of information integrity in addition to the current emphasis on data security.
Information integrity can be defined [PDF] as the confidence or assurance that the data underlying information has not been tampered with, altered, or damaged. Information integrity, along with data authenticity and security, matters most in three respects: first, the information that is transmitted to and from financial institutions, citizens, governments, the media, the military, political parties, private sector, security services, etc.; second, information that is collected from the world around us and interpreted to enable learning and help individuals and societies prepare for likely events; and, third, the information that drives critical infrastructure, instructing industrial control systems to perform tasks.
Concerns about data and information integrity are not new. Mistakes in gathering and interpreting data have always been made and we continue to see daily computer glitches leading to major flight delays, financial transaction paralysis, and power outages [PDF]. However, data errors are not always mistakes. Some people have always lied and manipulated information for personal and professional gain; diplomacy has been characterized as lying abroad for the good of the country, and it should not surprise anyone that people will also lie and cheat in cyberspace.
Despite attempts to address cybersecurity governance in recent years, including important contributions from international organizations and national governments, an important and yet unrealized opportunity exists to better educate internet users, particularly those receiving and sharing information on social media, on the integrity of online information. Safeguarding a trustworthy internet and building confidence in the integrity of information is a critical part of a strong cybersecurity regime in our modern networked age not only to protect infrastructure and consumer products, but also because there is a growing risk that political and personal decisions are based on inadequate or false information in cyberspace.
Cybersecurity in Critical Infrastructure
Most societies are highly dependent on networked connectivity for their critical infrastructure, including in the financial and banking, energy production and transmission, transportation, and communication sectors. The safety of national and international critical infrastructure has increasingly been a focus of attention, as attacks against these sectors have exposed the scale of their vulnerability. Leaders in many of these industries had believed they were immune from attacks, imagining that their facilities and assets were “air-gapped”—connected to neither the internet nor other computers linked to unsecured networks. Firewall breaches, increasing awareness of the limitations of physical separation, and human behavior have led all but the most intransigent to the understanding that it is prudent to act as if all modern infrastructure is connected at some point to the wider world and that all cyber technologies have vulnerabilities that may be exploited for cyberattack.
Such cyberattacks may include data and proprietary information theft, ransom attacks, and financial fraud. They may also be far more serious and focus on the hijacking of industrial control systems, including supervisory control and data acquisition systems. There have been many attempted—and some successful—attacks within the energy, transport, financial, and communication sectors. The so-called Stuxnet attack, the most-well known in the energy sector, was aimed at the industrial control systems of Iran’s uranium enrichment centrifuge facilities. There have been a number of other attacks on nuclear facilities—an issue that the nuclear industry is now addressing in a serious fashion. Other parts of the energy sector, including production and transmission, have been subject to attacks that shut down energy delivery to other industries.
The military and commercial space sector is an attractive target to certain hackers and steps are now being taken to enhance cybersecurity and resilience in space and at receiving and transmitting ground stations. This is particularly important for the global positional, navigational, and timing data that is used in electronic components throughout private industry and in our societies. The aviation industry has been paying significant attention to cybersecurity for aircrafts and air traffic control [PDF], and, more recently, railway and maritime transport authorities are addressing their exposure to cyber threats.
The internet of things, which is already established in large industries and is set to become a significant component of daily life in homes, cars, and offices by connecting people to gadgets, refrigerators to supermarkets, and cities to cities, is already vulnerable to attack.
Information Integrity for Intelligence
In many respects, information integrity for intelligence gathering and analysis ought to be the most readily soluble cyber governance problem, because the necessity for authenticity is embedded in the scientific method. Ensuring that the methods of data collection, transmission, analysis, and interpretation are accurate, consistent, and reliable is the bedrock of scientific exploration on which the intelligence enterprise is—or at least ought to be—founded. However, in the world of intelligence gathering—whether it be in the commercial or governmental sectors—practicing the scientific method, particularly validation through repetition, is often impossible (although triangulation of methodologies and sources is a good substitute). There is the additional complication of malicious actors deliberately inserting false information into the process, which also occurs in scientific research. Recognizing deliberately false information, including spoofed or manipulated data, is a non-trivial task. The tried and tested methods of analysis are fraught with difficulties in the murky world of covert data gathering and even more so in the cyber world, where the identification of individuals is easily subject to deception and data is frequently spoofed. New forms of information authentication are needed for the modern networked age to ensure policymakers have the best intelligence analysis available.
Moreover, intelligence officials and policymakers need to have a more nuanced conversation that addresses the issues of uncertainty in both information gathering and analysis. The mistakes made [PDF] in the lead up to the Iraq War, when basic problems with source authenticity, data integrity, and analysis were overlooked by senior policymakers despite high uncertainty warnings and caveats from the UN and intelligence experts, was a portent of things to come. The problems that arose then were not due to spoofing, but show how the narrative framework created by political interests can drive the debate and eradicate much-needed skepticism. In the echo chamber of cyberspace, the noise and chatter can drown out a cautious, scientific approach, and force policy positions based on inadequate, uncertain, and false information.
Information Integrity, Cybersecurity, and Societal Decision-Making
Though propaganda and the “spinning” of information are all considered part of the normal rough and tumble of many countries’ domestic politics, the revelations of numerous fake news stories that fed into the 2016 U.S. presidential election suggest that the ways in which false information can be spread and can deceive have reached new levels and have prompted analysts to study the effect of such stories on decision-making and voting patterns.
What is new is the speed at which the propaganda is distributed via social media, buoyed by an apparent lack of skepticism and healthy distrust of information that has previously characterized an informed electorate. In order to generate advertising income using algorithms that monitor and drive readership, a number of enterprises began fabricating stories that attracted voters. Fact-checking facilities during both the 2016 U.S. election and the 2016 United Kingdom referendum on remaining in or leaving the European Union seemed to have little influence [PDF] on the beliefs of voters. New techniques that combined social media monitoring, psychological profiling, and targeted posting by, for example, Cambridge Analytica, also served to ramp up the so-called bubble effect. Moreover, U.S. intelligence agencies revealed evidence that Russia was using cyber techniques to influence the outcome of the U.S. election. One aspect of the interference was a phishing expedition [PDF] that successfully enabled the hacking of the Democratic National Committee’s email server. Another was the insertion of false propaganda [PDF] into the news and social media posts to undermine one of the candidates.
People have become more aware of the dangers of phishing or scamming ventures online, although many continue to be fooled by them. Cybersecurity, cyber hygiene, and cyber assurance measures have been established by governments and financial institutions to support the trust of ordinary people in their online activities. However, there is an overall lack of trust in the internet and people are fearful of cyberattacks, particularly in regards to their personal information and finances. However, people tend to trust information that is posted by friends and others in their social and political circles on social media platforms. Therefore it is vitally important for people to learn to recognize what is and what isn’t trustworthy on the internet, especially on social media, in order to sustain the integrity of the internet and promote best cybersecurity practices.
Cybersecurity is the basis for trust in the integrity of information on the internet, without which there can be no confidence in or privacy of information. However, the need for cybersecurity also requires government security branches to find and prosecute cyber criminals—be they scam merchants, sexual abusers, or terrorists. This could require entrusting governments with the power to enable intrusion into personal communications, which could serve to undermine trust between governments and citizens. Likewise, private companies have access to significant amounts of data on their clients. If this data is not kept securely, it can be hacked and misappropriated by cybercriminals. In addition, some companies use this data for intrusive marketing campaigns. False information about individuals can also remain on the internet even when legally refuted, which has led to the EU’s “right to be forgotten” [PDF] legislation.
Further International Action
There have been attempts to address cybersecurity in the international system. In 2013, the first Tallinn Manual on International Law Applicable to Cyber Warfare, published by an international group of experts facilitated and led by the NATO Cooperative Cyber Defense Center of Excellence, stated that jus ad bellum (right to war) and international humanitarian law apply to cyber conflicts and cyberwarfare. In 2015, the fourth UN Group of Governmental Experts noted that common understandings of how international law applies to state use of information and communications technologies. The 2015 U.S.-China Cyber agreement was aimed at strengthening bilateral relations, cooperating on investigating cybercrimes, and promoting behavioral norms in cyberspace. In the 2016 One Internet report, the Global Commission on Internet Governance laid out the case for taking action against a “dangerous and broken cyberspace.”
Currently, the fifth UN Group of Governmental Experts is deliberating on how to take forward its work on international norms and law; the Tallinn Manual 2.0 [PDF] on International Law Applicable to Cyber Operations will be launched in April 2017; and the Netherlands, together with The Hague Center for Strategic Studies and the EastWest Institute, have launched the Global Commission on the Stability of Cyberspace, which will convene over a three-year period to develop proposals for norms and policies to enhance the stability of cyberspace.
A code of conduct for cyberspace is being proposed as a potential way forward for the governance of behavior online. Such a code would be inspired by the codes of conduct or ethics on, for example: ballistic missile proliferation, arms exports [PDF], or information security. Another approach could be to build on the International Telecommunications Union’s Global Cyber Security Index and its approach to adoption of regionally and internationally harmonized legislation.
An international approach to technical methods for information integrity and data security would be of considerable value. One approach would be the capability to send to social media users warnings regarding the authenticity and veracity of online information. The multi-stakeholder process for internet governance could further develop guidelines and standards for internet providers, social media platforms, and websites on how to assist their readers and participants develop a sense of what is true and what is false and build confidence in the integrity of the internet.
As the internet comes of age and humanity becomes an integral part of the internet of things, coupled with new advances in artificial intelligence, the need to educate for cyberspace activities is becoming urgent. Many countries have education programs on online safety and security as well as cyber hygiene. But their citizens also need to know how to discern what is trustworthy and how to recognize falsehoods and propaganda on the internet. Critical assessment of available information is one of the most important skills both offline and online. These skills should be taught through the formal national and international education systems and beyond. One is never too young to start thinking critically and—unfortunately—never too old to be spammed, phished, or conned.