Critical infrastructure operators have long faced the formidable security challenges of zero-day vulnerabilities and advanced persistent threats (APTs), both of which were employed in some of the most prominent cyberattacks in the sectors to date. But one researcher is warning leaders in government and industry of an old threat that, fueled by recent legislation and commercial practices, is quickly surpassing zero days and APTs as perhaps the greatest risk to critical infrastructure security.

The threat is what might be called “weaponized metadata,” and the risks are detailed extensively in a new report, Metadata: The Most Potent Weapon in this Cyberwar, recently published by the Institute for Critical Infrastructure Technology (ICIT), a Washington, D.C.-based cybersecurity think tank. ICIT produces many publications annually, but the 28-page report on metadata is notable for its urgent tone and sharp criticism of governments and businesses globally.

James Scott, ICIT senior fellow and the report’s author, in a recent interview with Fifth Domain, discussed the causes, potential effects and possible consequences of the metadata threat to critical infrastructure security. The risk is increasing, Scott said, because of growth in the collection, aggregation and sale of end users’ internet metadata, as well as users’ preference profiles and browser histories.

“Metadata is data about data,” Scott explained. “It describes operations and activities at a high level. Sophisticated, and even some less formidable, threat actors can infer a great deal from the presence or absence of specific metadata.”

The ICIT report notes that metadata can be descriptive (e.g., identification details), structural (e.g., combination and container details) or administrative (e.g., creation, technical and access details). Examples of internet metadata include the title, sender and receiver of emails, the unique identification number (i.e., International Mobile Equipment Identity, or IMEI) of mobile devices and the duration of users’ visits to websites. These examples are just a few of the dozens of data types that contextualize users’ online behavior.

But it’s not just the metadata alone that makes this threat so significant, Scott explained. “Th[e metadata] risks are compounded if the information can be combined with other stolen data sets. While the latter data inform the attacker about who the victim is, metadata profiles how they act.”

Armed with detailed knowledge of who victims are and how they behave online, threat actors can conduct a variety of cyber-enabled attacks, from social-engineering techniques such as spear phishing to “psychographic and demographic Big Data algorithms” employed to push “fake news.” Scott’s report provides detailed case studies on how metadata could be used to target anyone, from executives to entry-level employees, in specific critical infrastructure sectors, such as energy, finance and healthcare.

“People have a hard time altering their intrinsic behavior,” Scott told Fifth Domain, “especially if they do not know that they are being monitored. Consequently, threat actors can leverage victims’ unique browsing patterns to plan social-engineering campaigns, precision target propaganda, plant watering-hole sites, etc.”

While internet users have always generated metadata, Scott said the risk of its misuse is growing partly because of recent legislation, particularly S.J. Res. 34, which allows “dragnet surveillance initiatives” by internet service providers (ISPs), telecommunications companies and other communications businesses. S.J. Res. 34 became law in April after passing Congress earlier in 2017 and effectively canceled stricter data privacy regulations put into place by the FCC in December 2016.

After quoting the 124-word bill in its entirety, the ICIT report concluded, “Those few sentences undermine consumer privacy and radically redefine the cyber-threat landscape against every critical infrastructure silo.”

“Metadata is no longer harmless,” Scott said in the interview. “For years, advertisers have used it to influence behavior patterns. Self-serving, negligent data brokers were already a concern in the United States. Legislation, such as S.J. Res. 34, which passed despite no clear benefit to consumers, further commercializes and insecurely spreads sensitive metadata, which is dangerous and does not serve or protect consumer populations.”

In the report, Scott gives an extended example of how China could use metadata for counterintelligence operations, with potentially serious consequences to national security. Scott illustrates how, under the relaxed data privacy rules of S.J. Res. 34, a state-owned Chinese business (most likely a shell company) could buy metadata on U.S. consumers in bulk from a U.S. ISP. Chinese intelligence agents could then combine the metadata with data stolen by the Chinese APT threat actor Deep Panda in the 2015 Office of Personnel Management (OPM) breach, an incident that “will haunt the U.S. for decades,” Scott wrote in the ICIT report.

Using artificial intelligence, Chinese agents could then de-anonymized the internet metadata and correlate it to workers in critical infrastructure sectors. In combination with the detailed demographic and psychographic information contained in stolen SF-86 forms (used by individuals to apply for government security clearances), the threat actors could identify with pinpoint accuracy individuals who are susceptible to counterintelligence operations, along with effective methods for compromising each one.

“Browsing histories that reveal frequent visits to gambling sites, multiple credit card pages, loan applications or even dating sites could indicate a federal employee is ripe for financial blackmail or transformation into an intelligence asset,” the ICIT report notes.

“This threat is already present, and attack campaigns may already be in motion,” Scott said in the Fifth Domain interview.

The biggest threat vector for weaponized metadata may be one of the simplest, according to Scott. “Critical infrastructure organizations should be most worried about precision-targeted, social-engineering attacks that were tailored by leveraging demographic and psychographic Big Data analytics against cross-referenced data sets containing metadata and information exfiltrated in previous breaches,” he said.

By Scott’s judgment, the healthcare sector, followed closely by energy and finance, are the most vulnerable critical infrastructure sectors. “Electronic health records, a systematic lack of cyber hygiene and a focus on patient health above all else make the [healthcare] sector an attractive and vulnerable target,” Scott told Fifth Domain.

But the security practices of buyers (e.g., marketers), sellers (e.g., ISPs) and middlemen (e.g., data brokers) in the robust, convoluted consumer data marketplace are also a problem, according to Scott.

The public should have no confidence whatsoever in the companies collecting, storing, transmitting or processing their metadata – often without their knowledge, awareness or consent. [The companies] have a long and sustained history of operating insecurely and shifting risk to consumers instead of protecting their data. Data from ISP systems are already available on Deep Web markets and forums. Further, insufficient regulations and consumer protections are implemented to secure customers from the emerging threat. Users often cannot change their ISPs and often do not know which companies are exchanging or exploiting their data. In effect, S.J. Res. 34 and other dragnet bills are ensuring that consumers are exploited without their knowledge, awareness or consent and that the organizations mishandling the data and failing to secure their systems are not held accountable in any meaningful way.

As for how end users can protect themselves, Scott recommends using security technologies such as virtual private networks (VPNs) and only selectively sharing information in online profiles and digital platforms. But, he conceded, “There is little the average consumer can do to mitigate the cascading impacts of S.J. Res. 34 other than contacting the FCC or their Congressmen and voicing their disapproval of the bill – that does absolutely nothing beneficial for consumers – and its overwhelming negative impacts.

Scott urged leaders in the public and private sector to consider the risks to end users from current data policies. “Data must be protected according to its value and potential uses, whenever it is collected, wherever it is stored, whenever it is processed and however it is transmitted,” Scott said. “Risk of unsolicited exposure, disclosure or compromise are best reduced by limiting the parties with access to the data and by considering emerging exploitation vectors when deciding whether to collect, store or transmit information.”

If leaders fail to formulate effective data privacy policies, Scott warned, “Populations will suffer from improper data handling, and the effects will eventually backlash on public and private businesses and on legislators.