You’re rushed to the hospital after a serious car accident. Doing her job, the admitting physician verifies your blood type prior to giving you a life-saving transfusion. But no one knows the hospital’s medical records have been hacked — but not stolen. In this case, your records have been changed, reflecting a blood type that if transfused, would likely kill or seriously harm you. Welcome to the age of data manipulation.
Manipulating data is the latest trend in cybercrime, and it’s on the rise. The most recent study by Ponemon Institute and Accenture warned that attacking data integrity is the “next frontier.” To understand how we got to this point, we need to take a look at the evolution of cybercrime over the past two decades and how hackers seek a variety of hacking outcomes.
An approximate cybercrime timeline
Early on, cybercriminals were mostly looking to restrict access to your data availability, using malware to launch Denial of Service attacks, where legitimate users are kept from accessing a network, information or devices. Their motivation was twofold: to test their hacking tools for larger campaigns and to disrupt business operations of predetermined targets.
Next, hackers expanded their exploits to steal data out of large databases — such as the Equifax breach that compromised the personal information of 143 million Americans — and sell it for a profit on the dark web. The cybercriminals’ primary motivation was good old fashioned greed.
Simultaneously, cybercrime expanded into espionage, using malware and other methods to obtain secret files from U.S. defense contractors, including plans for the F-35 jet from Lockheed Martin.
Then came cyberextortion, like when Sony Pictures was hacked just before it released the anti–Kim Jong-un movie, “The Interview.” At the time, the FBI said North Korea was responsible for the attack, but five years later questions about the perpetrators and motives remain, which just goes to show how hard it is to identify cybercriminals.
On the heels of cyberextortion came disinformation and influence campaigns, like those used with Brexit and the 2016 U.S. presidential election.
The point of this brief history lesson is to demonstrate how quickly sinister actors migrate time-tested tools of crime (fraud, extortion, disinformation, etc.) into cyberspace.
Data manipulation is mostly unique to cyberspace
The old fashioned alteration of checks, IDs and airplane tickets aside, data manipulation is a crime that grew exponentially in cyberspace. Former U.S. Cyber Command and NSA head admiral Michael Rogers said his worst-case attack scenario would involve data manipulation “on a massive scale.”
Despite Rogers’ warning, the U.S. government continues to drag its feet on combating cybercrime, including data manipulation, which is now being discovered only after the fact by security teams. And I’m expecting that data alteration attacks will quickly become one of the most pernicious and undetectable threats for nation-states and corporations around the world.
To expand on my previous example, it’s no longer just your blood type at risk. It’s the blood type, address and information on the family members of every soldier, spy and diplomat serving the United States. The potential to inflict great harm is enormous.
Cybercrime is like a virus altering your DNA
Data manipulation is unique among cybercrimes because it’s not about taking the information — it’s about altering the data. The information generally never leaves the owner’s servers, so the criminal raises no red flags that something is amiss. This makes it much harder to catch, and it can be much more destructive. Think maliciously altering flight plans with air traffic controllers, altering bank account balances, or appending your criminal record with fictitious arrests.
Think of data manipulation as a virus that invades the body and alters its fundamental DNA. The damage is done quietly, and you may never know it happened.
The integrity of our data is at stake
In 2017, a Michigan man hacked the IT system of the Washtenaw County Jail and altered the release date of a friend who was serving a sentence there. The hacker used a social engineering campaign to trick workers at the jail into downloading malware on their computers and was then able to access and change the data. Luckily, staff noticed something was amiss and used paper records to verify the sentence But the scheme cost Washtenaw more than $230,000, and the criminal got access to the personal information of over 1,600 people.
Getting a friend out of jail is one creative use of data manipulation, but there are far more nefarious uses, such as altering operating procedures on nuclear facility instruction manuals, modifying software code in driverless vehicles, and changing the temperature threshold on refrigeration equipment or power turbines. And of course, as we’ve already experienced, altering votes or voter eligibility.
The stock market is another place that’s ripe for data manipulation. As the Wall Street Journal reported last year, 85% of stock market trades happen “on autopilot — controlled by machines, models, or passive investing formulas.” Consequently, if the underlying data that feeds the algorithms is altered by hackers, it could create widespread chaos in the markets and ultimately destabilize the global economy.
The biggest threat may be to the healthcare industry, which has become a prime target in ransomware attacks, and where the effects of data manipulation can be deadly. To underscore this point, researchers in Israel created malware that can add realistic but fake malignant growths to CT or MRI scans before they’re reviewed by doctors or radiologists. Likewise, the malware can remove cancerous nodules or lesions from patients’ scans.
In April, The Washington Post reported on the malware and revealed that a blind study conducted by researchers at Ben-Gurion University Cyber Security Research Center had devastating results. “In the case of scans with fabricated cancerous nodules, the radiologists diagnosed cancer 99 percent of the time. In cases where the malware removed real cancerous nodules from scans, the radiologists said those patients were healthy 94 percent of the time.”
When it comes to cybercrime, the best defense is a good offense
Because the defense of data integrity is in its early stages, there is very little that organizations can do to defend against manipulation once the cybercriminals have cracked into critical databases. Few organizations possess the tools to accurately detect and eliminate data manipulation, and those tools are more than a year away.
In the meantime, your solution is to keep criminals out of your data in the first place, using the tools that I talk about in every one of my presentations. When it comes to data integrity, prevention beats recovery every time.
John Sileo is the founder and CEO of The Sileo Group, a cybersecurity think tank, in Lakewood, Colorado, and an award-winning author, keynote speaker and expert on data integrity, cybersecurity and tech/life balance.