[Editor’s Note: Today’s post by guest blogger and freshly proclaimed Mad Scientist Vincent H. O’Neil was the runner-up in our recent Mad Scientist Operational Environment in 2035 Writing Contest. Mr. O’Neil also presented on this topic yesterday in the first of our series of on-line Weaponized Information events (click here to watch it). Now you can read his complementary post, predicting the emergence of the Information Disruption Industry (IDI), how the democratization and commercialization of this capability will lead to the continuous and widespread disruption of the Information Environment, and what measures we can take to prepare for and help mitigate its effects on future Warfighters in the Operational Environment — Read on!]
Use of everyday technology to collect personal data is increasing, and has already raised concerns about violations of privacy. Those collection efforts will continue to grow, because the data has a substantial value and can be sold. As these efforts become more intrusive, popular resentment will also grow. A tipping point is likely to be reached where the resentment changes to action. At that time, existing privacy protection services will expand enormously—and create a new industry dedicated to disrupting the collection, storage, and sale of personal data. It will be profitable and popular because its clients will believe this industry is defending their individual privacy.
For the rest of this paper, this new industry will be referred to as the Information Disruption Industry or the IDI. The IDI will attack the collection, storage, and dissemination of personal data at every level and every step in those processes. Its techniques will range from sophisticated efforts to alter collected information to cruder methods designed to crash entire systems. The increasingly interconnected nature of the technological world will render many systems—even those completely unrelated to personal data collection—vulnerable to second-order effects from these attacks.
This likely scenario has the potential to seriously damage the information landscape in 2035, if not sooner. Operating in this future environment calls for a broad approach designed to combat the wide-ranging impact of this disruption industry once it has gained social acceptance and popular funding.
The Current Situation
Use of everyday technology to collect personal data is increasing, and has already raised privacy concerns. The collection of this data is a lucrative business, as the information can be sold and resold.
Most people are already aware of this collection, through personal experience and the news:
- Mentioning a specific product in an electronic communication often leads to the appearance of online advertising reflecting that product
- Cases such as the Cambridge Analytica scandal demonstrate that large-scale collection of personal data is being conducted without public consent
- Frequent news stories concerning data breaches at large corporations feed the belief that, despite claims to the contrary, no collected information is safe
Resentment against this data aggregation increases when the targets of the collection realize they’re paying for it. Devices inside their phones and cars are being used to track and report their behavior, habits, and movements. Additionally, those devices can be accessed as part of legal proceedings, frequently to the detriment of the individuals paying for them.
The Tipping Point
As the technology improves, these collection efforts are likely to become even more intrusive—which will increase popular resentment. This is likely to reach a tipping point where that dissatisfaction turns into action.
Public opinion could be shifted from grudging acceptance to outright resistance by just a few news stories highlighting harmful privacy violations:
- Domestic violence victims hiding from their tormentors who were located and murdered through technological tracking
- Court cases where personal data collection provided circumstantial—but misleading—evidence that convicted innocent people
- Social media analysis by employers and/or universities that rejected qualified candidates
It won’t take many of these stories to make the general populace view personal data collection efforts as an actual threat to their livelihoods, liberty, and even their lives.
Expansion of the Disruption Industry
Once people see data collection and technological tracking as a threat, they will pay to protect themselves. That funding will generate the IDI.
The talent pool to staff this industry already exists. Tech-savvy individuals have been disrupting systems for many decades, for fun and profit, and they will be joined by technology professionals once society indicates its approval. Some of these professionals will come from the collection industry itself. People who were employed as personal data gatherers will leave those jobs to become subject matter experts in disrupter organizations. The pay is likely to be better, and their new jobs will be much more socially acceptable than their old ones. Their expertise will identify the vulnerabilities of systems and organizations that gather and sell personal information.
Hackers will also participate, formally or informally, because the IDI will create an environment conducive to their activities. It will be extremely difficult to secure vulnerable backdoors against cyberattack when the public is funding the demolition of a system’s very walls. Identifying a Trojan Horse will be next to impossible if it arrives in the middle of a stampede.
The IDI may even receive an official stamp of approval. Cases brought before the Supreme Court could rule that the activities of the disrupters are protected by the Constitution because they are protecting Constitutional rights.
Continuous and Widespread Disruption
The IDI will attack the collection, storage, and dissemination of personal data at every level and at every step in those processes. Those efforts will range from sophisticated techniques seeking to alter collected information to cruder methods designed to crash entire systems.
Some of the more sophisticated methods won’t spend any time attacking the many tools of the collection effort—they’ll hack the aggregated data where it’s stored, or compromise it during its transmission. The most sophisticated systems will change individual client data—without being detected—while leaving positive items such as high credit scores unaffected.
The less sophisticated techniques will have much broader effects and almost no subtlety. Those attacks will be designed to wreck systems, muddle entire databases, and thwart collection at the source.
Regardless of the form the IDI takes, the result will be a kaleidoscopic information landscape populated with data requiring frequent verification and systems that malfunction randomly. All of this will generate second-order effects that will be as harmful as they are unpredictable.
The increasingly interconnected nature of the technological world will magnify the impact of these disruptions and generate problems in unexpected areas. Hooking everything from household appliances to hospital information systems to the internet creates a myriad of opportunities for intentional—and unintentional—disruption.
Here’s an example: Tracking technology that utilizes the GPS system will be a particularly important target for the IDI. Countless systems access this tool, so disrupters seeking to prevent the GPS system from following its clients—or seeking to wreck the system entirely—could also damage the systems that connect to GPS. The argument that barriers are in place to prevent this is not sufficient, because the tech is constantly changing. Seemingly minor adjustments to code, hardware, and protocols can create unexpected vulnerabilities.
Ramifications for the Operational Environment
This likely scenario has the potential to seriously damage the operational environment in 2035—if not sooner.
Military technology is created and sold by civilian businesses, and some of those businesses design their products so that modified versions can be sold in non-military markets. That intersection alone has the potential to render many military systems vulnerable.
Former military personnel will also join the ranks of disrupter organizations, bringing valuable knowledge about the setup, operation, and weaknesses of military systems.
These attacks won’t necessarily need to be directed at military targets:
- Disruptions of civilian communication systems will have a negative impact on deployed troops who have gotten used to being able to contact their loved ones. Other disruptions such as compromised credit scores and frozen bank accounts cannot help but distract deployed soldiers from their missions and focus their attention back home.
- Revisiting the GPS example above, any disruption of satellite location functionality could have enormous impact on the operational environment. Lost units, misdirected supplies, and errant ordnance are just a few of the potential ramifications. No matter how advanced the technology becomes, it’s only going to be as accurate as the information it uses and as secure as the other systems it accesses.
- Use of civilian technology for maintenance and logistical functions leaves these vital areas open to the effects of any disruptions that occur in those systems worldwide. Patches and updates for these products are usually mandatory and, while they may be designed to address a problem or shortcoming in the existing system, they could also carry code or information from disrupter organizations.
What to Do: First Steps
Operating in this future environment calls for a broad approach designed to combat the wide-ranging impact of the IDI. A supervisory authority should be created to direct this effort. Every level of the national defense apparatus has a role:
Establish a mechanism to continuously verify information and generate alerts: The national defense apparatus uses many technological systems, frequently with overlapping capabilities. That overlap could be leveraged to verify information used across these systems and provide warning when data is inaccurate or a function has been disrupted. The systems do not need to interface to create these verification capabilities—on the contrary, connection would leave them open to the attacks already mentioned. As an example, this mechanism could provide ongoing checks that geographical location A is actually situated at geographical location A—and raise a red flag when one system says it is not.
Conduct “What If?” wargaming at all levels: The operational environment includes a multitude of systems that could be impacted by the IDI. The supervisory authority mentioned earlier should require the owners/operators of every system to identify every function and entity that influences it. Each of those functions and entities will undergo similar analysis, creating a nodal diagram showing how these separate factors influence each other. That will be the start point for wargaming the possible results of disruptions anywhere across those nodes.
Create redundancy: No amount of wargaming or testing will prevent disruptions. Commands and units must be ready to lose systems and keep functioning. Lessons learned in the wargaming will help identify key capabilities that must be maintained—which may require the creation of redundant systems.
Repair the broken systems: Identifying the “last functioning point” before a disruption can help recover a malfunctioning system. Frequent archiving of data and programming can offer a chance of “resetting” the system to an earlier point that brings it back into operation.
Identify field-expedient solutions: The supervisory authority should create a “best practices” center that verifies, tests, and disseminates information on variations, substitutions, and workarounds developed in the field. These best practices must be promulgated widely, so that people working with System A will be aware of a functionality in System B that can meet the requirements of System A in an emergency.
Provide incentives: Get everyone involved in conducting “what if?” analysis and identifying field expedients by creating a rewards program. Money, public acknowledgment, medals, and promotions can help motivate people to ask these questions and come up with solutions ahead of time.
Train with manual options: Leverage the results of the “what if?” analysis and field expedients to identify every possible means of manual intervention or substitution when a system—or part of a system—is disrupted. Make training on these manual options mandatory, and include them in all operational manuals.
If you enjoyed this post, check out The Information Environment: Competition & Conflict – A Mad Scientist Laboratory Anthology; including our post Weaponized Information: One Possible Vignette
- >>> REMINDER 1: Mad Scientist Initiative is facilitating the second webinar in our series of on-line Weaponized Information events, next Wednesday, 27 May 2020 (1300-1400 EDT) — a Proclaimed Mad Scientist double feature:
- Weaponization of Social Media, with Pete Singer
- Fictional Intelligence (FICINT), with August Cole
- Join us for their discussion on the themes of weaponization of social media, robotic and AI revolutions, and the future of disinformation that run through their books and work. In order to participate in this virtual event, you must first register here [via a non-DoD network]. Registration is limited, so sign up now! And stay tuned to the Mad Scientist Laboratory for more information on our upcoming Weaponized Information virtual events — we will open registrations one week prior to each event!
>>> REMINDER 2: Mad Scientist wants your Information Warfare Vignettes! We launched this crowdsourcing exercise to complement our aforementioned Weaponized Information Virtual Events and we want to hear from you! Review submission guidelines on our flyer here, then craft and submit your most innovative and insightful visions of information warfare to us at: MADSCITRADOC@gmail.com. The winner of our writing contest will be present at our virtual conference on 21 July 2020 (stay tuned to the Mad Scientist Laboratory for further information on this event!). Deadline for submission is 1 July 2020!
Vincent H. O’Neil holds a bachelor’s degree from West Point and a master’s degree from The Fletcher School. He is an experienced risk manager, with professional articles published in Risk Management Magazine. He is also an award-winning novelist, with a mystery series published by St. Martin’s Press and a military science fiction series (written as Henry V. O’Neil) from HarperCollins. His website is www.vincenthoneil.com.