Keep an eye out for the Misinfosec Working Group4 minutes read

Check out this thread by Sara-Jayne Terp of the Misinfosec Working Group.

Last year, Sara proposed the ingenious idea that, like cyber operations, cyber-enabled information operations (and disinformation) are also pivoted around the foundational triad of cybersecurity: confidentiality, integrity and availability (C-I-A).

I thought that was a phenomenal statement as it allowed us to define cyber-enabled information operations in machine-to-machine taxonomies and ontologies.

During her talk at the Weaponised Information summit, organised by a think tank of the US Special Operations Command, she proposed the creation of an ATT&CK-like structure for information operations. ATT&CK is an ontology, a body of common knowledge around post-exploitation techniques used in mission-driven cyberattacks. We also have CAPEC, which is more C-I-A centric, whereas ATT&CK is threat-centric.

Back then, I had blogged about it extensively and also wrote an op-ed for The Tribune.

Pretty soon, her idea culminated as the Misinfosec Working Group — a motley bunch of cognitive scientists, threat intelligence researchers and data analytics experts.

In less than a year, it has come up with Adversarial Misinformation & Influence Tactics and Techniques (AMITT) — an ATT&CK-like TTP-set. TTPs define adversarial Tactics, Techniques & Procedures.

This ontology is now being mapped to a machine-readable taxonomy using the structured threat intelligence format STIX. Misinfosec also heralded the creation of the Cognitive Security Information Sharing & Analysis Organisation (ISAO), a threat intelligence sharing body.

It’s interesting that this is happening at a time when even ATT&CK is being fused with STIX.

To my mind, all of this marks the eventual blending together of cognitive and cyber attack surfaces.

But why is that important?

I think that we are going to see the increasing exploitation of cyber-cognitive attack surfaces, because the cost-benefits are now heavily tilted towards its side. It’s like what conventional cyber operations used to be 20 years ago: cheap and effective over scale and speed. An example would be ISPR’s manoeuvring during the recent Indo-Pak escalation.

I have been a lurker and a raconteur at the Misinfosec Slack channel since its founding. So, I will make one prediction: my emergent mind says that Misinfosec would also aid the creation of cyber norms.

Right now, the cyber norms community, dominated by lawyers, only interprets the first or second order effects of cyberattacks — that too in a physical or kinetic sort of way. The reality is that cause-effect could be separated by many, many degrees. Take, for example, the OPM hack. And we miss out on the fact that the impact of a cyberattack is generally an indiscernible mixture of not just effects, but also perceptions.

The complete absence of the cognitive dimension is a big, gaping loophole in the cyber norms discourse, aggravated by the ambiguity around the international law.

Misinfosec is one of those projects that would help us divorce normative frameworks for cyber conflict from the international humanitarian law, by offering better qualitative and quantitative markers.

If you think of it, even the 2001 Code Red worm was a trademark information operation.

Bonus pics: How Iranian information operations looked like in STIX 2.1!