It is January 2017, and as Donald Trump prepares to take over as the new President of the USA, the debate rumbles on about the possible hacking, leaking and disinformation associated with Hilary Clinton’s election campaign. So what should we make of these allegations? Let’s look at what we know.
In March 2016 Hilary Clinton’s campaign manager, John Podesta, received an email warning him that his Internet mail account password had been compromised and that he should immediately change it. Unfortunately Mr. Podesta was naïve regarding Internet mail security and was unaware that he was the victim of a spear-phishing attack. He responded to the warning and his mail account was hacked with the greatest of ease. What was the impact?
Many people have speculated about the source of this and other associated attacks, citing foreign state sponsored interference in the US election process, but for our purposes here it hardly matters who were the perpetrators – the fact is that someone with malicious intent wanted to discredit the Clinton campaign and was using information warfare as a means to achieve that aim. We can let the politicians rant and rave about who and why, but it provides a very useful case study in how information warfare can be used against a potential target – you for example.
Once the integrity of your systems is brought into question you become vulnerable to all sorts of accusations, which may or may not be true. One outcome is that some embarrassing truths are leaked and revealed – dirty washing exposed in public. However, it’s not clear whether this information is indeed the truth. If your opponents can demonstrate that your system is compromised, then they can spread both truth and lies without anyone being able to tell the difference, and without you being able to defend yourself. What would you do? Admit that some is true in order to deny the untruths? Will you be believed? Probably not, because once the opponents can demonstrate that the integrity of your system has been breached they can quickly turn that into a breach of your own personal and corporate integrity. There will always be doubt about counter-claims and denials that you make.
Let’s skip into another business domain to see this effect more clearly. You are a large pharmaceutical company and have invested huge amounts of money developing and testing a new drug. You have five years of clinical trial data stored on a system, data that is essential for gaining public confidence and receiving a license to release the drug for general use on humans. Someone hacks into your database and claims to have altered the data, rendering it unusable. Your investments are under threat. What do you do next?
You can try to deny that the data is corrupted, that you have back-ups in safe places, that you have integrity checks on the data, and so on. Claims and denials are one thing, but what matters is the ability to demonstrate integrity – to support your claims and denials with hard evidence. The opponent needs no such rigour, because just by claiming to have penetrated your system they have brought the integrity of your data into question. They may not even have made a successful attack – this is all about confidence and proof, the onus of which is always on you. Legal principles do not apply – you are guilty until you can prove otherwise (ask Hilary Clinton). There’s no smoke without fire. Confidence is based on belief, and the only way to change belief is by presenting evidence that is believable.
So, assume that one day you will be subject to an information warfare attack. Do some scenario planning and understand the possible consequences. Then decide on measures you need to be able to refute untrue allegations. Oh – and make sure your staff are not so naïve and stupid as Mr. Podesta. Education and culture development are very important. SABSA thinking can help by identifying the attributes that characterise your business requirements and provide measurable hard evidence that can be shown in public to support any claims or denials you will need to make when this happens to you.
The Attributer