Commentary: To Protect Against Cyber Attacks, Companies Need to Address Data Manipulation. Here’s How

In 2017, Konrads Voits hacked the IT system of the Washtenaw County Jail in Michigan. A friend was serving a sentence there, so Voits digitally altered the county’s electronic prison records to accelerate his scheduled release date. Fortunately, jail staff found paper records proving the deception and promptly notified the FBI and Department of Homeland Security. Voits has now joined his friend serving time behind bars.

This example of digital data manipulation is a harbinger of a new frontier in cyber attacks: a breach of trust in the integrity of the data that powers the increasingly digitized world.

The cyber breaches that make the news tend to fall into two categories: the theft of sensitive data and ransomware attacks that cut off access to data. Yet, senior military and intelligence officials believe that manipulating the data itself may pose the greatest threat of all. Admiral Mike Rogers, former head of the U.S. Cyber Command and the National Security Agency, once testified that his worst-case cyber scenario involved “data manipulation on a massive scale.” As virtually everything becomes digitized and globally interconnected by vast volumes of data, the threat posed by data manipulation spans virtually every sector and industry.

Today, as much as 85% of stock market trades happen “on autopilot,” as the Wall Street Journal reported, “controlled by machines, models, or passive investing formulas.” Indeed, rapid-fire, automated trading cascades across financial markets and exchanges. It relies on complex algorithms using inputs from multiple data sources, including share prices and other market trends. If hackers surreptitiously alter the underlying data feeding the algorithms, they can induce the computer programs to execute trades that precipitate so-called flash crashes that cause havoc in the markets.

Industrial production is similarly susceptible. In 2017, hackers deployed Triton, a new form of malware, to penetrate a petrochemical plant in Saudi Arabia. The hackers gained access to the plant’s operational technology systems and, critically, its safety controls—the last line of defense against equipment failure and potentially catastrophic explosions or fires. Triton included a built-in self-destruct program that would create “invalid data to cover its tracks.” Fortunately, Triton’s operational malware caused the plant to shut down rather than explode.

Meanwhile, deepfakes are altering global politics. These manipulated bits of video and audio realistically display something that never happened or was never said. They use machine learning algorithms and facial-mapping software to animate real people. It may be funny when it’s blending Oprah Winfrey into Mike Tyson or Amy Adams (as Lois Lane) into Nicolas Cage.

But the Department of Defense (DoD) isn’t laughing so much, given the possibility of a fake but believable video of a world leader inciting violence or declaring war. The DoD’s Defense Advanced Research Projects Agency has undertaken a significant initiative to combat “large-scale automated disinformation attacks.” The idea is to deploy algorithms and machine learning to instantaneously process hundreds of thousands of videos and images searching for “semantic inconsistency detectors.”

In today’s new digital world, we can’t always believe our own eyes and ears. The risk is no longer theoretical for companies: Corporate leaders and law enforcement were recently rattled by a deepfake impersonating a CEO successfully directing a fraudulent transaction over the phone.

It’s time for all organizations to adapt to this reality and for individuals to add a new question to their own digital lives: “How do I know what I’m seeing is real?” The most important cybersecurity practices require the constant vigilance of segmented and inventoried networks and data. For data manipulation, three aspects rise to the top: fingerprinting, endpoint visibility, and back ups.

The foundation of data integrity will be fingerprinting documents and data. The process uses software that authenticates data by embedding a unique, identifying text string that matches to the organization’s data inventory. While it looks benign to outsiders, it gives the owners of the information the ability to validate their data.

In addition to verifying information at its creation, organizations need to secure it where it’s stored and accessed. Every device used in an organization needs to be specifically accounted and planned for—not just computers and smartphones, but storage drives and connected monitors and devices. Each of these “endpoints” can really be gateways into a network—or early warning systems to protect an organization’s larger network from being compromised. Sound endpoint security can be a vital guard against data manipulation attacks.

Anyone who’s lost a document to a software crash, left their laptop at airport security, or had a phone stolen knows how important it is to back up their data. The same applies to a bank where the network’s been compromised, and all customer and account records replaced with altered data. To regenerate hundreds of thousands of accurate records, the bank needs an earlier (but recent) set of uncorrupted data. Similarly, organizations need to be able to constantly back up and preserve, in separate networks, vital data and documents that can be called on to crosscheck data and processes, and quickly rebuild corrupted systems.

Throughout history, technological changes have forced society to grapple with truth and trust. The printing press, photography, radio, moving images, and Photoshop all precipitated shifts in what can be understood to be real, imagined, or counterfeit. In this new era of cyber malfeasance that threatens to erode confidence in financial, industrial, and political systems, it’s up to both the public and private sectors to focus on safeguarding trust in a time of increasing deceit.

Peter J. Beshar is executive vice president and general counsel of Marsh & McLennan Companies and has testified frequently before Congress on cybersecurity matters. Ari Mahairas is the special agent in charge of counterintelligence and cyber operations at the FBI’s New York Field Office.