I promised to walk someone through our Truth&Trust Online #TTOCon (thanks @TTOConference!) poster on “left-of-boom misinfosec” yesterday, but we missed the slot. I hate to disappoint, so here’s your online version…
— Sara-Jayne Terp is in the UK (@bodaceacat) October 6, 2019
Check out this thread by Sara-Jayne Terp of the Misinfosec Working Group.
Last year, Sara proposed the ingenious idea that, like cyber operations, cyber-enabled information operations (and disinformation) are also pivoted around the foundational triad of cybersecurity: confidentiality, integrity and availability (C-I-A).
I thought that was a phenomenal statement as it allowed us to define cyber-enabled information operations in machine-to-machine taxonomies and ontologies.
During her talk at the Weaponised Information summit, organised by a think tank of the US Special Operations Command, she proposed the creation of an ATT&CK-like structure for information operations. ATT&CK is an ontology, a body of common knowledge around post-exploitation techniques used in mission-driven cyberattacks. We also have CAPEC, which is more C-I-A centric, whereas ATT&CK is threat-centric.
Pretty soon, her idea culminated as the Misinfosec Working Group — a motley bunch of cognitive scientists, threat intelligence researchers and data analytics experts.
In less than a year, it has come up with Adversarial Misinformation & Influence Tactics and Techniques (AMITT) — an ATT&CK-like TTP-set. TTPs define adversarial Tools, Techniques & Procedures.
This ontology is now being mapped to a machine-readable taxonomy using the structured threat intelligence format STIX. Misinfosec also heralded the creation of the Cognitive Security Information Sharing & Analysis Organisation (ISAO), a threat intelligence sharing body.
It’s interesting that this is happening at a time when even ATT&CK is being fused with STIX.
To my mind, all of this marks the eventual blending together of cognitive and cyber attack surfaces.
But why is that important?
I think that we are going to see the increasing exploitation of cyber-cognitive attack surfaces, because the cost-benefits are now heavily tilted towards its side. It’s like what conventional cyber operations used to be 20 years ago: cheap and effective over scale and speed. An example would be ISPR’s manoeuvring during the recent Indo-Pak escalation.
I have been a lurker and a raconteur at the Misinfosec Slack channel since its founding. So, I will make one prediction: my emergent mind says that Misinfosec would also aid the creation of cyber norms.
Right now, the cyber norms community, dominated by lawyers, only interprets the first or second order effects of cyberattacks — that too in a physical or kinetic sort of way. The reality is that cause-effect could be separated by many, many degrees. Take, for example, the OPM hack. And we miss out on the fact that the impact of a cyberattack is generally an indiscernible mixture of not just effects, but also perceptions.
Cyber norms folks: how do you deal with the OPM hack? State-to-state espionage is a-ok. That’s why Yu Pingan was charged with ‘other’ criminal acts. OPM largely had cognitive effects spread over many degrees. However, John Bolton built a new deterrence strategy inspired by it.— Pukhraj Singh (@RungRage) October 4, 2019
The complete absence of the cognitive dimension is a big, gaping loophole in the cyber norms discourse, aggravated by the ambiguity around the international law.
Misinfosec is one of those projects that would help us divorce normative frameworks for cyber conflict from the international humanitarian law, by offering better qualitative and quantitative markers.
If you think of it, even the 2001 Code Red worm was a trademark information operation.