In Industry ry and the Operational Environment of f the Future - - PowerPoint PPT Presentation

The In Information Disruption In Industry ry and the Operational Environment of f the Future

By Vincent H. O’Neil

Outline

• Executive Summary
• Introduction
• The Expanding Information Disruption Industry
• Ramifications for the Operational Environment
• What to Do—First Steps
• Summary

Executive Summary ry

Use of everyday technology to collect personal data is increasing, and as these efforts become more intrusive, popular resentment is likely to grow. If that irritation reaches a tipping point, existing privacy protection services will expand enormously—creating an Information Disruption Industry (IDI) dedicated to thwarting the collection, storage, and sale of personal data. The expanded IDI’s efforts will do direct and indirect damage to a wide range of systems—even systems unrelated to personal data collection. This likely scenario has the potential to seriously impact the information landscape in 2035, if not sooner.

Collection of f Personal Data

People are already concerned about this collection:

• Mentioning a product in an electronic communication often

causes the appearance of online ads about that product

• Cases such as the Cambridge Analytica scandal show large-

scale collection of personal data goes on without public consent

• News stories and/or personal notifications about corporate

data breaches feed the belief that no collected information is safe

Popular Resentment

Resentment: Bitter indignation at being treated unfairly The targets of the data collection dislike the invasion of their privacy already. That feeling is multiplied by the realization:

• They’re paying for the devices (phones and cars) commonly

used to track their behavior, habits, and movements

• The tracking and collection is often concealed from them
• Their personal devices could potentially be accessed as part
• f legal proceedings

The Tip ipping Point

Public opinion could be shifted to outright resistance by news stories showing data collection can cause actual harm:

• Domestic violence victims hiding from their tormentors who

were uncovered by technological tracking

• Conviction of innocent people through the use of

circumstantial evidence gained through personal data collection

• Social media analysis by employers and/or universities that

rejected qualified candidates

Expansion of f th the Dis isruption In Industry

Entities offering services designed to thwart the collection and sharing of personal data already exist. Once people see data collection and technological tracking as a real threat, they’ll pay to protect themselves. That funding will generate the expanded IDI. The IDI’s techniques will range from stealthy alteration of data to the crashing of entire systems. PRECISION

Brute force & ignorance Skill & daring

Precise Dis isruption

• Target specific information as directed by the client

(movements, purchases, personal communications)

• Leave other information intact (high credit score, records of

education & employment)

• Key goal is to do this without detection
• Attracts staff from the collection industry—better pay and

more socially acceptable

• Will still do damage to systems:
• Disruption of normal system functions
• Unintended consequences
• Numerous, uncoordinated actors

Im Imprecise Dis isruption

• Monkey wrench-in-the-gears approach
• Low-end, low-margin business
• Not concerned with stealth
• May crash entire systems
• Cover for hackers—identifying a Trojan Horse is difficult

when it arrives in the middle of a stampede

• May give a significant boost to privacy protection overall:
• Cast doubt on the reliability of collection efforts
• Reduce the value of purchased data

Le Legal Acceptance

• Numerous court cases (lawsuits and criminal actions) are

likely to arise from this conflict

• Supreme Court rulings that connect the IDI—or its clients—

with the defense of individual rights will make the IDI even more socially acceptable and give it legal protection

• Even if the collectors pledge to stop gathering personal

information, the public is unlikely to believe it

• The more precise operators could also offer a service where

they monitor clients’ personal information and repair it when it’s damaged by the IDI

Continuous and Wid idespread Dis isruption

The IDI will attack the collection, storage, and dissemination

• f personal data at every level and at every step in those

processes. This will create a kaleidoscopic information landscape populated with data that requires frequent verification and systems that malfunction randomly. All of this will generate second-order effects that will be as harmful as they are unpredictable.

Second-Order Effects

The increasingly interconnected nature of the technological world will magnify the impact of any disruptions and generate problems in unexpected areas. Hooking everything from household appliances to hospital information systems to the internet creates a myriad of

• pportunities for intentional—and unintentional—disruption.

Second-Order Effects - Example

Tracking technology that utilizes the GPS system will be a particularly important target for the IDI. Disrupters seeking to prevent the collection of information regarding a client’s movements could attack the system itself or leverage systems that connect to it. The argument that barriers are in place to prevent this is not sufficient, because the tech is constantly changing. Seemingly minor adjustments to code, hardware, and protocols can create unexpected vulnerabilities.

Ramif ific ications for the Operational l Envir ironment

The expanded IDI has the potential to seriously impact the

• perational environment in 2035— if not sooner.

Most US military technology is created by civilian businesses, and modified versions can be sold in non-military markets. That intersection alone has the potential to render many military systems vulnerable. Former military personnel will also join the ranks of disrupter

• rganizations, bringing valuable knowledge about the setup,
• peration, and weaknesses of those systems.

Additionally, the confused nature of the information landscape will assist actual enemy actors in their attempts to attack government and military systems.

Non-Military ry Targets

These attacks won’t necessarily need to be directed at military targets: Disruptions of civilian communication systems will have a negative impact on deployed troops who have gotten used to being able to contact their loved ones. Other disruptions such as compromised credit scores and frozen bank accounts cannot help but distract deployed soldiers from their missions and focus their attention back home.

GPS Dis isruption

Revisiting the previous example regarding the GPS system, any disruption of satellite location functionality could have enormous consequences for the operational environment. Lost units, misdirected supplies, and errant ordnance are just a few of the potential ramifications. No matter how advanced the technology becomes, it’s only going to be as accurate as the information it uses and as secure as the other systems it accesses.

Support Systems

Use of civilian technology for maintenance and logistical functions leaves these vital areas open to the effects of any disruptions that occur in those systems worldwide. Patches and updates for these products are usually mandatory and, while they may be designed to address a problem or shortcoming in the existing system, they could also carry code or information from disrupter organizations.

What to Do—First Steps

Operating in this future environment calls for a broad approach designed to prepare for and manage the wide- ranging impact of the expanded IDI. A supervisory authority should be tasked to direct this effort, and every level of the national defense apparatus has a role.

Verify fy th the Data

Establish a mechanism to continuously verify information and generate alerts: The national defense apparatus uses many technological systems, frequently with overlapping

• capabilities. That overlap could be leveraged to verify

information used across these systems and provide warning when data is inaccurate or a function has been disrupted. The systems don’t need to interface to create these verification capabilities—on the contrary, connection would make them vulnerable to the same threats. As an example, this mechanism could provide ongoing checks that geographical location A is actually situated at geographical location A—and raise a red flag when one system says it is not.

Ask, “What If?”

Conduct wargaming at all levels: The operational environment includes a multitude of systems that could be impacted by the IDI. The supervisory authority mentioned earlier should require the owners/operators of each system to identify every system that connects to it and every entity that uses it. Each of those systems and entities will undergo similar analysis, creating a continuously updated nodal diagram showing how these separate factors influence each other. That will be the start point for wargaming the possible results

• f disruptions anywhere across those nodes.

Create Redundancy

Identify substitutes and replacements: No amount of wargaming or testing will prevent disruptions. Commands and units must be ready to lose systems and keep functioning until those systems are available again. Lessons learned in the wargaming will help identify key capabilities that must be maintained. It will also identify systems that might be leveraged to do the different tasks of the missing system in an emergency. When no such temporary replacement can be found, or when a system is simply too important, the creation of a redundant system may be necessary.

Repair th the Damage

Fix broken systems quickly: Identifying the “last functioning point” before a disruption can help recover a malfunctioning

• system. Frequent archiving of data and programming can offer

a chance of “resetting” the system to an earlier point that brings it back into operation. Lessons learned from cyber attacks and security breaches that

• ccur in peacetimes should be analyzed for techniques that

can be applied during wartime. Existing disaster recovery and data recovery programs, both public and private, could be good sources of additional tips and techniques for this.

Id Identify fy Quic ick Fix ixes

Analyze field-expedient solutions: The supervisory authority should create a “best practices” center that solicits, verifies, tests, and disseminates information on variations, substitutions, and workarounds developed in the field. These best practices should be promulgated widely, so that people working with System A will be aware of a workaround in System B that can also be applied to System A in an emergency.

Provide In Incentives

Encourage innovation and participation: Get everyone involved in conducting “What if?” analysis and identifying field expedients by creating a rewards program. Money, public acknowledgment, medals, and promotions can help motivate people to ask these questions and come up with solutions ahead of time.

Train Wit ith Manual Options

Train with manual options: Leverage the results of the “what if?” analysis and field expedients to identify every possible means of manual intervention or substitution when a system—or part of a system—is disrupted. Make training on these manual options mandatory, and include them in all operational manuals. No matter how much effort goes into preparing for the loss of a system, the force must be ready to do without a system for a protracted period of time when necessary. When a substitute system isn’t available and a manual option is, the force needs to be trained and ready to use that manual option.

Summary

• Popular resentment of personal data collection is likely to

cause a dramatic expansion of the Information Disruption Industry (IDI)

• The IDI’s efforts will do direct and indirect damage to a wide

range of technological systems—even systems unrelated to personal data collection.

• This likely scenario has the potential to seriously impact the

information landscape in 2035, if not sooner.

• Operating in this future environment calls for a broad

approach designed to prepare for and combat the wide- ranging impact of the IDI.

About th the Auth thor

Vincent H. O’Neil is a risk manager, writer, and public speaker. He holds degrees from West Point and The Fletcher School. He’s also the author of the Frank Cole mystery novels from St. Martin’s Press and the Sim War military science fiction series (written as Henry V. O’Neil) from HarperCollins. www.vincenthoneil.com www.linkedin.com/in/vincenthoneil