close icon
Mitigations

Information Warfare Offensive

Access to information is valuable but it is also dangerous. Auth0 CISO Joan Pepin explains why information warfare is a big deal

May 14, 2018

How Critical Thinking Skills Can Protect You From Malicious Actors

From the outside, my job as Chief Information Security Officer for Auth0 might look like it’s about devices, apps, protocols and procedures, but those are just my tools. Access to information is valuable but it is also dangerous. My job is really is about balancing the opportunities and risks that information presents.So information warfare is a big deal for me.

The thing is, information warfare didn’t start with the Russians.

An Ancient Strategy for Modern Encryption

“All warfare is based on deception.” — Sun Tzu, The Art of War (550 BC)

Back in 550 BC, Sun Tzu recommended sharing false information as a means of attack. Granted, back then, a single human was limited to face-to-face and hand-transported written communication. In the time it would have taken one of Sun Tzu’s spies to share a sentence, false information can now reach thousands via the internet, each of them geometrically expanding the reach of a single message.

Even thousands of years ago, during the time of Alexander the Great, an ancient general on the hill would see the battle and would get one of his chariot commanders to flank to the east and summon a trusted messenger.

He’d use his secret encoder ring to craft a message on a piece of papyrus, then he’d roll it up and seal it with wax, hand it to that trusted messenger, and send him down the hill. The chariot commander would recognize the messenger and know that he was a trusted source information.

He’d also recognize the seal authenticating the message.

And since he’d be the first to crack the seal, he’d validate that it had not been intercepted. Using his own secret encoder ring, the chariot commander would decode the message. For safekeeping, he would also kill the messenger and burn the papyrus.

That ancient strategy also describes modern encryption and privacy on the internet. Those fundamentals have not changed.

We still need to know that the sender is in fact who the message claims it to because this implies that the content of the message could be genuine.

We still need to ensure that the message has not been intercepted or used inappropriately. And, finally, similar to the killing of the messenger and the burning of the papyrus, we need to know that at the end of its life cycle a message was destroyed in a way that rendered it unable to be reproduced.

This is the full life cycle of safe information.

If you’re going to base a business decision on information, you want to validate these same basic things and verify them. And when you delete the message, you want it to be gone forever. Today, after the very end of tax season, I have a friend who goes through a shredding ritual. He goes through his filing cabinet and shreds everything he doesn’t need, since information is both an asset and a liability. Deleting was just as valid in Alexander’s time as it is today, but much the way the methods for making Greek fire have been lost to time, we are losing the ability to validate and verify information.

Swaying Public Opinion through Volume

By the time the Klondike Gold Rush came around, person-to-person verification still occurred, as did accurate message sharing through the newspapers, but the volume of communication available through mass printing offered a new opportunity to control the story.

While promoting Seattle during the Klondike Gold Rush, Erastus Brainerd used newspaper advertising and feature stories to sway public opinion in a way that had never been done before. His stories appeared in the local papers, in advertisements across the U.S., and again in letters sent directly to various chambers of commerce offering Seattle as the pathway to riches — which proved extremely convincing in the wake of one of the United States’ greatest economic depressions, the Panic of 1893.

People sold everything they had and rushed to Seattle. But travelling across the country (or globe) took time and money and snail mail delivering personal stories was equally slow. By the time the story of Seattle was proven to be more propaganda than truth, many didn’t have the funds or the heart to head home to share their stories. Of the 100,000 who rushed to the Klondike, only 30,000 made it, and only 4,000 found gold.

Historians often say the 1893 depression made people more vulnerable to stories of riches. But newspapers had evolved into a trusted source of information. These stories were reportedly “true,” which encouraged people to shift their critical thinking responsibilities to the papers.

This public opinion campaign established Seattle as a primary city in the Northwest. Companies like Nordstorm and Filson got their start as a result of the Klondike Gold Rush, eventually seeding the start of companies like Microsoft and Amazon. Clearly, opinion campaigns can have lasting effects on the real world that end up impacting global history.

Today, the machinery of our society runs on information and spreads it far faster than Brainerd’s stories. There’s far more information made daily than Brainerd produced in his entire campaign. There’s more machinery to produce it, distribute it, and consume it. Now more than ever, we need that ancient skill of being able to quantify and qualify our information.

Information warfare infographic

"There’s more machinery to produce, distribute, and consume information. Now more than ever, we need skills that helps us quantify and qualify our information."

Tweet

Tweet This

Why People Should Think More like Spies

“…there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don't know we don't know.”

Back in 2002, the U.S. Secretary of State Don Rumsfeld caught a lot of flak about his unknown knowns statement. The reporter was after a direct answer about the lack of evidence linking the government of Iran to terrorist groups with weapons of mass destruction.

“Unknown knowns” and “known unknowns” came across as gibberish to both the right and the left. But for the spooks and spies tasked with analyzing and understanding information from a globe of sources, Rumsfeld’s Unknown Knowns statement actually described a taxonomy of information. Let me break down with an example about a suspected danger — maybe a bomb or a shooter — in a building and whether or not that intel can be validated:

There are known knowns: We have intel that tells us something bad might occur in a specific building in a specific city.

There are known unknowns: While we know the city and the building, we don’t know when the bad thing might happen or what it is.

Unknown knowns: Because we’re not entirely certain we can trust the source of the information, we might know additional information without realizing it’s a salient detail. For example, April might be a critical month one source. May might be a critical month for another.

There are unknown unknowns: Because we lack complete information, there may be additional things — like the number of bombs or shooters — that we aren’t able to determine.

"Like a station chief looking to decide which intel to trust, an era of information warfare should lead you to ask similar questions."

Tweet

Tweet This

Thinking Beyond the TV Box

When I was growing up, public opinion could be swayed by the fact that the majority of us were tuning into the same TV shows at the same time on the same channels. Maybe because TV was a relatively young medium or because Americans had become significantly more jaded since the Klondike, my mother would warned me not to believe most anything I saw on TV. But I liked all the voices on TV. I liked them so much that my mother put me on a TV budget. I was allowed a half an hour in the morning and another half an hour in the evening. For my evening budget, I chose the evening news with Walter Cronkite. Why? Because even though my mother had warned me against all the other voices, Walter Cronkite was a bit different. With his voice and later Tom Brokaw, there was an understanding that the media might have a certain bias, but it was also understood that one could easily compensate for that bias by using your own brain. I understood that someone had crafted the story I was watching. Maybe Walter is a little more on the left than the right, but they weren’t lying. Typically, it was easy to find another reasonable POV to use as a check. You could watch the slightly left-leaning evening news and pick up the slightly right-leaning newspaper and between those two you could easily determine the truth, as well as gain a deeper understanding of both sides. Now information has become so divergent that picking two sources and triangulating between them is not good enough.

The Risk of Unqualified Trust

Current frustrations can make it sound like the media is in full control of all the stories. Back then, my mom drilled into my head that I had to figure out what someone was really saying and why someone might be saying it, the media actually held more power than it does today because people got the majority of their news from television, radio, and the newspapers. With the social media we’ve gained voices we might never have heard, but lost the vetting and some of our individual critical thinking skills — and allowed untrustworthy sources direct access. Within this context, the trust that resided with journalists has been transferred to our network of friends and colleagues. If my mom reads something on Facebook she accepts it as truth because it’s been shared by people she trusts, which is why rapid sharing without fact checking and validating sources can be so dangerous.

Everyone knows fake news is out there, but if everyone trusts the people in their feeds, who are trusting the people in their feeds and so on, it gives malicious actors an easy way to sneak in. We need a web of trust to make this internet thing work, but that also means that each of us has the responsibility to make sure that the message we’re amplifying is an accurate one, because regardless of your political position, inaccurate info does no one any good.

Vetting Info in the Era of Divergence

Although spooks and spies gather information, it’s the station chief who decides its value. In the absence of a Cronkite or a Brokaw, that responsibility when reading a news story has shifted to you. We are each our own information qualifier — and qualifying a news story today is harder than it was when I was a kid watching the evening news. Instead of having to adjust for tone or delivery, thanks to information warfare, you could be staring at something from an untrustworthy or highly motivated source that was shared to gain a specific reaction — like influencing presidential elections. Even if you try the old trick of triangulating with multiple voices, you might realize you’re in a social media echo chamber, where multiple people or companies you respect have reposted information from the same source. In this environment, it’s spectacularly easy for a single individual to reach out to multiple sources to control the narrative. During the Cronkite era, information consumers regularly enjoyed vetted stories told with the help multiple validated sources. Consuming structured information made it easier to look for and recognize the most reliable patterns. Since we’re consuming so much unstructured information, we have to work harder to ask the questions that help us know if the information before us is genuine and to validate and authenticate before sharing. Because information is now so divergent, the burden is on you.

  • Twitter icon
  • LinkedIn icon
  • Faceboook icon