The Danger – and Simplicity – of Cognitive Attacks
The allegations of Russian influence on the 2016 election have been in the news for months. President Trump has claimed that Russian meddling was a hoax, but according to the Mueller investigation, that’s been proven false. While the Russians didn’t hack into polling systems, they did employ a different kind of attack: a cognitive hack. James Bone explains the concept, why cognitive hacks are so effective – in politics and in business – and what we can do to guard against them.
When we think of hacking, we think of a network being hacked remotely by a computer nerd sitting in a bedroom using code she’s written to steal personal data or money – or just to see if it is possible. The idea of a character breaking network security to take control of law enforcement systems has been imprinted in our psyche from images portrayed in TV crime shows, but the real story is much more complex and simple in execution.
The idea behind a cognitive hack is simple: “Cognitive hack” refers to the use of a computer or information system (social media, etc.) to launch a different kind of attack. The sole intent of a cognitive attack relies on its effectiveness to “change human users’ perceptions and corresponding behaviors in order to be successful.”[1] Robert Mueller’s indictment of 13 Russian operatives is an example of a cognitive hack taken to the extreme, but it demonstrates the effectiveness and subtleties of an attack of this nature.[2]
Mueller’s indictment of an elaborately organized and surprisingly low-cost “troll farm” set up to launch an “information warfare” operation to impact U.S. political elections from Russian soil using social medial platforms is extraordinary and dangerous. The danger of these attacks is only now becoming clear, but it is also important to understand the simplicity of a cognitive hack. To be clear, the Russian attack is extraordinary in scope, purpose and effectiveness; however, these attacks happen every day for much more mundane purposes.
Most of us think of these attacks as email phishing campaigns designed to lure you to click unwittingly on a link that will enable hackers to gain access to your data. Russia’s attack is simply a more elaborate and audacious version to influence what we think and how we vote and to foment dissent between political parties and the citizenry of our country. That is what makes Mueller’s detailed indictment even more shocking.[3] Consider, for example, how TV commercials, advertisers and, yes, politicians have been very effective at using “sound bites” to simplify their story to appeal to certain target markets. The art of persuasion is a simple way to explain a cognitive hack – an attack focused on the subconscious.
It is instructive to look at the Russian attack rationally from its [Russia’s] perspective in order to objectively consider how this threat can be deployed on a global scale. Instead of spending billions of dollars in a military arms race, countries are becoming armed with the ability to influence the citizens of a country simply through information warfare – at the low cost of just a few million dollars. A new, more advanced cadre of computer scientists are being groomed to defend and build security for and against these sophisticated attacks. This is simply an old trick disguised in 21st-century technology.
A new playbook has been established to hack political campaigns, and it’s being used effectively around the world, as documented in an article from March 2016. For more than 10 years, elections in Latin America have become a testing ground for how to hack an election. The drama in the U.S. reads like one episode of a long-running soap opera, complete with “hackers for hire,” “middle men,” political conspiracy and sovereign country interference.
“Only amateurs attack machines; professionals target people.”[4]
Now that we know the rules have changed, what can be done about this form of cyberattack? Academics, government researchers and law enforcement have studied this problem for decades, but the general public is largely unaware of how pervasive the risk is, as well as the threat it imposes on our society and the next generation of internet users.
I wrote a book, “Cognitive Hack: The New Battleground in Cybersecurity…the Human Mind,” to chronicle this risk. In it, I propose a cognitive risk framework to bring awareness to the problem. Much more is needed to raise awareness among organizations, government officials and risk professionals around the world. A new cognitive risk framework is needed to better understand these threats, identify and assess new variants of the attack and develop contingencies rapidly.
Social media has unwittingly become a platform of choice for nation state hackers who can easily hide the identity of organizations and resources involved in these attacks. Social media platforms are largely unregulated and, therefore, are not required to verify the identity and source of funding to set up and operate these kinds of operations. This may change, given the stakes involved.
Just as banks and other financial services firms are required to identify new account owners and their source of funding, technology providers of social media sites may also be used as a venue for raising and laundering illicit funds to carry out fraud or attacks on a sovereign state. We now have explicit evidence of the threat this poses to emerging and mature democracies alike.
Regulation is not enough to address an attack this complex, and existing training programs have proven to be ineffective. Traditional risk frameworks and security measures are not designed to deal with attacks of this nature. Fortunately, a handful of information security professionals are now considering how to implement new approaches to mitigate the risk of cognitive hacks. The National Institute of Standards and Technology (NIST), is also working on an expansive new training program for information security specialists specifically designed to understand the human element of security, yet the public is largely on its own. The knowledge gap is huge, and the general public needs more than a catchy slogan.
A national debate is needed between industry leaders to tackle security. Silicon Valley and the tech industry, writ large, must also step up and play a leadership role in combatting these attacks by forming self-regulatory consortiums to deal with the diversity and proliferation of cyber threats through vulnerabilities in new technology launches and the development of more secure networking systems. The cost of cyber risk is far exceeding the rate of inflation, and it will eventually become a drag on corporate earnings and national growth rates as well. Businesses must look beyond the “insider threat” model of security risk and reconsider how the work environment contributes to risk exposure to cyberattacks.
Cognitive risks require a new mental model for understanding “trust” on the internet. Organizations must begin to develop new trust measures for doing business over the internet and with business partners. The idea of security must also be expanded to include more advanced risk assessment methodologies along with a redesign of the human-computer interaction to mitigate cognitive hacks.
Cognitive hacks are asymmetric in nature, meaning that the downside of these attacks can significantly outweigh the benefits of risk-taking if not addressed in a timely manner. Because of the asymmetric nature of a cognitive hack, attackers seek the easiest route to gain access. Email is one example of a low-cost and very effective attack vector which seeks to leverage the digital footprint we leave on the internet.
Imagine a sandy beach where you leave footprints as you walk, but instead of the tide erasing your footprints, they remain forever present with bits of data about you all along the way. Web accounts, free Wi-Fi networks, mobile phone apps, shopping websites, etc. create a digital profile that may be more public than you realize. Now consider how your employees’ behavior on the internet during work connects back to this digital footprint and you are starting to get an idea of how simple it is for hackers to breach a network.
A cognitive risk framework begins with an assessment of risk perceptions related to cyber risks at different levels of the firm. The risk perceptions assessment creates a Cognitive Map of the organization’s cyber awareness. This is called cognitive governance, the first of five pillars to manage asymmetric risks. The other five pillars are driven from the findings in the cognitive map.
A cognitive map uncovers the blind spots we all experience when a situation at work or on the internet exceeds our knowledge of how to deal with it successfully. Natural blind spots are used by hackers to deceive us into changing our behavior to click a link, a video, a promotional ad or even what we read. Trust, deception and blind spots are just a few of the tools we must incorporate into a new toolkit called the cognitive risk framework.
There is little doubt that Mueller’s investigation into the sources and methods used by the Russians to influence the 2016 election will reveal more surprises, but one thing is no longer in doubt: the Russians have a new cognitive weapon that is deniable but still traceable for now. They are learning from Mueller’s findings and will get better.
Will we?
[1] http://www.ists.dartmouth.edu/library/301.pdf
[2] https://www.bloomberg.com/news/articles/2018-02-17/mueller-deflates-trump-s-claim-that-russia-meddling-was-a-hoax
[3] https://www.scribd.com/document/371673084/Internet-Research-Agency-Indictment#from_embed
[4] https://www.schneier.com/blog/archives/2013/03/phishing_has_go.html