Government doesn’t take the dangers of metadata security seriously enough, members of industry said at an Institute for Critical Infrastructure (ICIT) event on Sept. 26.
They cited the passage of SJ 34, which reduced regulations on Internet service providers‘ (ISP) use of metadata generated by their customers.
“SJ Res. 34 was shocking,” said James Scott, co-founder and senior fellow of ICIT. “It’s shocking that it passed with no resistance whatsoever because what it did was it validated ISPs, notoriously cyber hygienically apathetic, to curate metadata on all of their users while simultaneously charging them a fee for the pleasure. So you’re paying Comcast for the service, and they’re monetizing off of your surfing.”
SJ 34, which was signed into law in April, nullifies a rule submitted by the Federal Communications Commission that would have required ISPs to allow customers to opt in or out of their information being shared, adopted data security and breach notification requirements, and prevented service contingent on the surrender of privacy rights.
“You don’t necessarily have control about the information that’s being sold that is about you in the ISP environment,” said David Rubal, chief technologist for data and analytics at DLT Solutions. “And from a privacy perspective, that’s one thing that really raised the yellow flag for me when I saw this going through the Hill, was the gradual loss of privacy.”
Scott explained that ISPs collecting these troves of data creates problems when nation-states and malicious actors use that data to find targets for hacks and influence campaigns.
“I’m surprised that the FBI isn’t taking this threat more seriously,” said Scott.
“What do we believe in?” added Tim Hill, director at Centrify. “Can somebody promote that idea with us? Can it be used to drive us toward a particular action? They have access to you when you’re using the Internet and all of the Internet of Things in your house that are using the Internet. They have access to information about you when you’re scheduling appointments with your doctors, scheduling appointments with lawyers, because you’re using the Internet to do those things. They have access to you when you’re working, because you’re using VPN. So they have a much larger picture of you when you start taking that metadata and merging it with other sources.”
Scott said that future use of this information can develop into a technological war with worldwide consequences.
“This war that we’re in is going to be a perpetual one, and it’s going to be an exhaustive one, and most nation-states aren’t going to be able to handle the swings, the expense, or the intellectual capital that they need in order to defend against this type of cyber-kinetic metadata offensive,” said Scott. “I think the problem on the Hill is […] they’re just now wrapping their minds around cyber hygiene. Metadata is something that they don’t understand–the weaponization capability and what nation-states are able to do from perception management, perception steering, influence operations, political warfare, information warfare. That’s the new war, it’s a cyber-kinetic meta war, and it’s permanent, it’s a permanent state that we as a planet are in.”
Scott added that members of Congress and their committees need the “intellectual capital” and cyber experts on this topic to adequately address the inappropriate or malicious use of metadata.