Metadata: The Most

Potent Weapon in This

Cyberwar
The New Cyber-Kinetic-
Meta War

Author:
James Scott, (Senior
Fellow - Institute for
Critical Infrastructure
Technology)
IInstitute for Critical Infrastructure Technology
The Cybersecurity Think Tank™
www.icitech.org

Copyright © 2017 Institute for Critical

Infrastructure Technology

All rights reserved.

No part of this report may be reproduced or

transmitted in any form whatsoever, electronic,
or mechanical, including photocopying,
recording, or by any informational storage or
retrieval system without expressed written,
dated and signed permission from the authors.
DISCLAIMER AND/OR LEGAL NOTICES
The information presented herein represents
the views of the authors as of the date of
publication. Because of the rate with which
conditions change, the authors reserve the
rights to alter and update their opinions based
on the new conditions.
The authors have strived to be as accurate and
complete as possible in the creation of this
report, notwithstanding the fact that they do not
warrant or represent at any time that the
contents within are accurate due to the rapidly
changing nature of the Internet.
While all attempts have been made to verify
information provided in this publication, the
authors assume no responsibility for errors,
omissions, or contrary interpretation of the
subject matter herein. Any perceived slights of
specific persons, peoples, or organizations are
unintentional.
 CONTENTS

1 | Dragnet Surveillance and

Retroactive Legislation Impede
Cybersecurity
2 | Metadata is the New Exploit
3 | S.J. Res. 34 Allows ISPs to
Undermine National Security and
Privacy
4 | Meta-Exploits Are Hyper-Evolving
an Already Next Generation
Adversarial Landscape
Meta-Exploitation Expedites Nation-
States Attacks on Critical
Infrastructure
Meta-Exploitation of Big Data and
Metadata Augments Extremist
Recruiting
Meta-Exploitation of Niche
Personnel Enables Cyber-Kinetic
Attacks
Meta-Exploitation Unmasks Users
with Psychographic and
Demographic Algorithms
Meta-Exploitation Transforms
Remote Contractors into Insider
Threats
Meta-Exploitation Undermines
Democratic Institutions
Meta-Exploitation Impedes Financial
Systems
Meta-Exploitation Precisely Tailors
 Disinformation and Fake News
Meta-Exploitation Disrupts Energy
Systems
Meta-Exploitation Cripples the
Healthcare Sector
5 | The Surveillance State &
Censorship Legislation Conundrum:
Dragnet Surveillance & Censorship
Legislation Will Do Nothing to
Eliminate Cyber Jihad & Lone Wolf
Recruiting
Backdoors for the Good Guys, Means
Backdoors for the Bad Guys
The Rise of the Lone-Wolf Threat &
Ease of Cyber Jihad
The Failed U.K. Surveillance State
Will Become Weaker with
 Backdoors and Dragnet Censorship
Legislation
Surveillance is Not Security
Dragnet Surveillance Cannot Stymie
Terrorism, But A.I. Can
Adversaries Will Exploit Backdoors
and Weakened Encryption
| Conclusion
| Contact Information
| Sources
 ABOUT ICIT:
AMERICA’S
CYBERSECURITY THINK
TANK

The Institute for Critical Infrastructure

Technology (ICIT), a nonparti- san
cybersecurity think tank, is cultivating a
cybersecurity renaissance for our
critical infrastructure communities. ICIT
bridges the gap between the legislative
community, federal agencies and the
private sector through a powerful
platform of cutting edge research,
initiatives and educational programs.
Through objective research and
advisory, ICIT facilitates the exchange
of ideas and provides a forum for its
members to engage in the open, non-
partisan discourse needed to effectively
support and protect our nation against its
adversaries.
www.icitech.org
 1 | Dragnet
Surveillance and
Retroactive
Legislation Impede
Cybersecurity

The combination of dragnet surveillance

initiatives and retroactive legislation
drastically increase the availability and
attainability of exploitable microscopic
and macroscopic data pertaining to
consumers every online action and
decision. Hacking is a resource-
intensive grind in which copious
exploits work, but few remain functional
for long. Naturally, as vulnerabilities are
leveraged, or exploits are sold,
defenders become aware and develop
mitigation and remediation strategies to
secure infected networks.
Adversaries are regularly able to find
new vulnerabilities to exploit due to the
architectonic chaos that plagues the
prototypical organizational IoT
microcosm. The volume of cyber-attacks
continuously increases due to the hyper-
evolution of the adversarial landscape
and due to the stealth and sophistication
of the malicious actors, who become
more precise with the direct cyber-
kinetic targeting of critical infrastructure
executives with elevated privileges.
Esoteric and scarce zero-day exploits
are no longer essential for the success of
a cyber campaign. Instead, adversaries
have a new and accelerated focus on the
curation of metadata because no matter
how much they invest in personnel and
training, organizations cannot reduce
their reliance on people, and people’s
characteristics are difficult or
impossible to change.
Metadata enables the success of direct
and indirect exploits in all critical
infrastructure silos in every major nation
because it exposes systemic operational
vulnerabilities and it facilitates the
bypass of ingrained cyber-hygiene
defenses. There are limitless
possibilities for social engineering and
cyber exploitation when one understands
how to make sense of seemingly random
metadata or how to pair the data with
other exfiltrated data pools in attacks
that weaponize psychographic and
demographic Big Data algorithms.
 2 | Metadata is the
New Exploit

Metadata, or “data about data,” is

collected and recorded to describe data,
identify trends, administer algorithmic
solutions, and model potential scenarios.
It is categorized as descriptive
(identification details), structural
(combination and container details) and
administrative (creation, technical, and
access details). Some metadata, such as
that generated from telecommunications,
can trivially re-identify parties [1]. That
two entities are communicating or have
communicated in the past might be
valuable information. Other metadata,
such as web- browsing info is supposed
to be rendered significantly more
difficult to use in re-identification
methodologies. Social media and online
networking sites, applications, and
services already associate user profiles,
activities, behaviors, and expressions to
psychologically manipulate customers to
behave in certain ways, absorb specific
content, or believe particular details.
NSA General Counsel Stewart Baker
has been quoted saying, “metadata
absolutely tells you everything about
somebody’s life. If you have enough
metadata, you don’t really need content”
and General Michael Hayden, former
director of the NSA and the CIA, adds,
“We kill people based on metadata” [1].
If nothing else, metadata enables
operators to identify significant sets and
associations within greater Big Data
stores [2]. Recent legislation, such as
mass-surveillance and data sale bills in
multiple countries including the United
States, has increased the risk that
metadata poses to Internet users by
allowing or requiring private entities
such as ISPs to exchange consumer-
centric information with unknown and
unregulated third-parties.
Typically, when networks sell data,
what they are actually selling is targeting
of a particular sub- segment of a market
on their platform [3]. ISPs cannot do that
because they lack a platform to deliver
specific ads to specific consumers. Data
will have to be conveyed. Further, due
to data leakage, insecure ISP servers,
and increasing market viability and
interest in consumer data sets, it is only
a matter of time before Internet users
suffer increased adversarial exploitation
tailored to their online activities.
 3 | S.J. Res. 34 Allows
ISPs to Undermine
National Security and
Privacy

S.J. Res. 34 is a 124-word bill

(accompanied by a 40-word title) that in
its entirety reads, “This joint resolution
nullifies the rule submitted by the
Federal Communications Commission
entitled “Protecting the Privacy of
Customers of Broadband and Other
Telecommunications Services.” The rule
published on December 2, 2016: (1)
applies the customer privacy
requirements of the Communications Act
of 1934 to broadband Internet access
service and other telecommunications
services, (2) requires
telecommunications carriers to inform
customers about rights to opt in or opt
out of the use or the sharing of their
confidential information, (3) adopts data
security and breach notification
requirements, (4) prohibits broadband
service offerings that are contingent on
surrendering privacy rights, and (5)
requires disclosures and affirmative
consent when a broadband provider
offers customers financial incentives in
exchange for the provider’s right to use a
customer’s confidential information.”
Those few sentences undermine
consumer privacy and radically redefine
the cyber-threat landscape against every
critical infrastructure silo. S.J. Res. 34
allows ISPs such as Comcast, Time
Warner, Verizon, T-Mobile, etc. to sell
consumers’ IP addresses, Internet search
histories, temporal data (when a user is
online, for how long, the time between
clicks, visit duration, etc.), and other
metadata. Most importantly S.J. Res. 34
removed requirements that Internet
Service Providers: protect data from
hackers during storage, transmission,
and processing; notify consumers of
security incidents that jeopardize their
data; and prohibit the unconsented
exchange of consumer metadata with
private entities [5].
The legislation manifested from ISPs
envy of social media and search engine
user-data monetization models.
Telecommunication companies were
barred from participating in these
schemes that trade “free” services for
customer information for ad revenue
because ISPs capture and process
significantly greater quantities and
drastically higher detailed information
than other online organizations. Their
argument that they should enjoy the same
liberties and accountability standards as
companies like Facebook and Google is
intentionally deceptive.
Though massive, the aforementioned
digital platforms cannot access or
capture users’ entire online browsing
sessions. They can only monitor user
actions on that particular outlet or
affiliated sites. Further, social media
and search engine companies exchange
economic incentives in the form of utility
and convenience for users’ data under
the express understanding that provided
information may be used for targeted
advertising or shared with third-parties.
Users have some level of choice and
consent in what information is provided
and how it is used. ISPs offer customers
no such additional value. Before
restrictions on the sale of consumer data
and in the time following S.J. Res. 34,
customers will not see a decrease in
their Internet and telecommunication
bills. If anything, services will continue
to increase based on inflated rates that
feed profit lines instead of securing
consumer data or modernizing decrepit
infrastructure. Consumers can choose
what information to share on each social
media or search engine with which they
engage. If the data-price exceeds the
user willingness-to-pay, then they seek
an alternative or abstain.
Figure 1: Metadata is Vulnerable on
Verizon Servers
Figure 1 captures an Alphabay sale of
information from a Verizon customer
database. If Verizon cannot even secure
basic email credentials, how can it be
trusted to secure metadata?

Access to the Internet is not comparable.

Consumers already pay ISPs exorbitant
fees for slow data-exchange-rates and
notoriously shoddy customer service.
Most do not have any choice in ISP
because entire regions lack any
alternatives or competition. Meanwhile,
telecommunication companies can
inspect, monitor, capture, and sell nearly
every macroscopic and microscopic
datum.
Without S.J. Res. 34, ISPs would have
to develop enticing and innovative
multi-leveled service platforms to
compete with Google, Facebook, and
other tech incumbents in the free and fair
market. Under S.J. Res. 34, consumers
are paying ISPs every month to
eventually sell their data to plentiful
unknown buyers and resellers to be used
for unknown purposes, to be stored on
unknown servers with unknown security,
and to further transmit to parties
unknown. While some nation-state
affiliated firms will legally purchase
data, most threats cannot and do not need
to do so. Every time a script kiddie,
cyber-criminal, or cyber-mercenary
infiltrates a public or private sector
system, they now have the opportunity to
potentially exfiltrate detailed metadata
as a secondary objective. Each purchase
of metadata sets from an ISP by a
legitimate company carries the risk that
either that organization’s systems are or
will be compromised, that the entity
operates in part or whole on behalf of an
adversarial nation-state, or that a
malicious insider could access and steal
the information.
Figure 2: Comcast is Incapable of
Securing Basic Consumer Data

As shown in Figure 2, Comcast, like

Verizon, has failed at securing account data
and cannot be trusted to secure and
exchange metadata
4 | Meta-Exploits Are
Hyper-Evolving an
Already Next
Generation
Adversarial
Landscape

Meta-Exploitation
Expedites Nation-States
Attacks on Critical
Infrastructure
The Chinese state-sponsored Deep
Panda APT exfiltrated 22.1 million
granular-detailed 127- page SF-86
forms in the 2015 OPM breach. The
incident will haunt the U.S. for decades
because the entire clearanced workforce
may already be subject to compromise
by the Chinese government. The forms
contained the demographic and
psychographic information of critical
infrastructure personnel and clearance
applicants. The stolen information can
be aggregated with other data stolen by
Deep Panda and affiliated groups, in a
custom database of American critical
infrastructure personnel. The information
was not encrypted in OPM’s system and
the only deterrent to establishing a
“LinkedIn for espionage and blackmail”
is the sheer quantity of data; however,
recent advances in Big Data analytics
and machine learning will reduce the
computational expenditure of leveraging
the data [4] [6].
Artificial Intelligence algorithms can
combine the data already exfiltrated in
the OPM, Anthem, and other incidents
with the excessive stores of metadata
purchasable from U.S. ISPs. In China,
organizations are either owned by the
state or are subject to the management of
one or more government liaisons who
have administrative authority [4]. The
Chinese Government can acquire
metadata legally through layers of shell
companies or foreign branches or by
deploying one of around a hundred
advanced persistent threat groups to
exfiltrate the data from a poorly secured
data broker, ISP, or federal agency. In
combination with the SF-86 forms, AI
can be used to de-anonymize metadata to
identify critical infrastructure personnel
based on their psychological and web
browsing profiles or it can be used to
detect vital personnel who have become
vulnerable in the years after OPM.
Browsing histories that reveal frequent
visits to gambling sites, multiple credit
card pages, loan applications, or even
dating sites, could indicate that a federal
employee could be ripe for financial
blackmail or transformation into an
intelligence asset [6].
 Figure 3: Free and Purchasable
Keyloggers are Easy to Find on Deep
Web
Keyloggers from Deep Web are easy to find,
download, and use. Figure 3 depicts a
minuscule sampling of the thousands of
instantly available variants.

Individuals working in niche fields are

particularly vulnerable because they can
be easily identified in metadata by their
visits to sector specific sites and their
profiles stand out in the OPM data.
Contractors with remote access are
particularly appealing targets because
their credentials can be infected through
spear-phishing, watering-hole, or drive-
by-download attacks, and their
credentials can be captured with a
keylogger. While some might follow
protocol and report attempted coercion
by a foreign power (likely at risk to their
career), others will serve as malicious
insiders within secure compounds and
vital networks. These individuals can be
leveraged to install network backdoors
to facilitate future breaches, they can be
persuaded to plant logic bombs or wiper
malware to cause a cyber-kinetic
impact, they could infect sensitive and
air-gapped networks with sophisticated
malware, or they could personally
exfiltrate intellectual property, PII, PHI,
state secrets, etc.

Meta-Exploitation of Big
Data and Metadata
Augments Extremist
Recruiting
Facebook recently claimed that it
implemented a machine learning
algorithm that identifies depressed users
based on the metadata generated from
their searches, clicks, linger time, and
other metrics, while on the platform. The
intent of the implementation was to alter
the content displayed to the user based
on their mood, in order to improve the
user experience. The company alters the
display of content to manipulate the mind
and emotions of the user. For all
purposes, this is nothing less than
privatized cyber-psychological warfare
that targets customers, users, and
consumers in a campaign that compels
them to depend on the product and
incrementally increase their daily usage.
Essentially, if the user sub-consciously
knows that when they use Facebook,
their mood improves, then they will rely
on it as an emotional crutch [7].
Numerous ad networks and other online
outlets have likely developed similar
processes for recognizing lonely or
troubled consumers as a means of
exploiting their melancholy and lapsed
judgment to sell goods and services. The
same techniques leveraged to detect
depressed users could be leveraged by
malicious adversaries to locate potential
recruits. The only difference is that
technology firms and advertising
companies are legally allowed to
purchase metadata and use it to
subjugate the public.
The expansion of ISIL and the Cyber-
Caliphate depends on the propagation of
extremist media and on the perpetual
recruitment of troubled individuals that
can be persuaded to act as lone- wolf
threat actors. Other far-right and far-left
radical organizations similarly operate
and depend on active recruitment. Self-
polarized lone wolf threat actors are the
meta-variant of terrorist. Isolated,
depressed, and mentally unstable
individuals are prime targets for
extremist conscription. These users can
be trivially targeted even from pseudo-
anonymous metadata because the actual
identity of the target does not matter; the
threat actor just needs an IP address,
email, or social media account to
establish initial contact [8].
Lone wolf threat actors turn to the
internet for community and purpose.
Their online accounts exhibit behaviors
of seeking attention, polarization, and
further isolation. Many experienced
trauma in their youths or are
ideologically ostracized in their
communities. Before the internet,
troubled individuals often did not
radicalize to the point of action because
in order to do so they had to physically
identify, locate, and connect with a
tangible local congregation of like-
minded individuals. Now on the Internet,
radicalization can occur instantly and
anonymously within significantly larger
and more geographically distributed
groups. Statistically, physical
membership in hate groups has actually
diminished because troubled lone
wolves can instantly gratify and cultivate
their radical beliefs, they can remotely
plan their assaults with online resources
(Google Maps, etc.), and they can
consume propagandist narratives to
model their campaigns around and to
assure them that their purpose is worth
serving and that their sacrifice will be
remembered [8]. Metadata can be
leveraged to precisely target attention-
seeking and isolated users located in
Western nations. Improving the one-to-
one recruitment efficiency of extremist
networks could provide a second wind
to degenerating organizations such as
ISIL. Even if recruits are not identified,
the metadata could be leveraged to
discern emerging trends to inform an
optimized evolution of radical
propaganda.
The Cyber-Caliphate and similar groups
lack the resources and infrastructure of
multi-national corporations. They cannot
develop powerful algorithms or
purchase vast quantities of data.
However, they can polarize unsound
individuals in foreign nations and use
them as malicious insiders within the
data broker firms, ISPs, or advertising
companies that purchase mass-
surveillance Internet information.
Moreover, as machine learning and
artificial intelligence solutions become
more ubiquitous, reliable open source
derivatives of efficient algorithms
emerge. Additionally, while present in
sensitive networks, the lone-wolf could
plan attacks, install malware, backdoor
systems, or obtain sensitive lists of
individual niche personnel to target in
their localized assaults.
Figure 4: T-Mobile Fails to Secure
 Account Data

Smaller ISPs like T-Mobile or AT&T are

not better than Comcast and Verizon at
protecting consumers’ data.

Metadata may also be used in targeted

attacks against high-value critical
infrastructure personnel. Location
tracking, “super-cookies,” and other
technical indicators can be used to
physically track a target. Metadata
captured by ISPs include Internet usage
days and times, duration, and visited
top-level domains. Consequently,
adversaries can ascertain when someone
will be home based on typical usage or
determine where they might be based on
location tracing or web searches of
destinations. Some services, such as
Google accounts and mobile
applications, even aggregate home and
mobile search history and location
information within accessible and
vulnerable databases. Instead of
targeting public spaces, lone-wolves
could leverage exfiltrated metadata to
target prolific figures or essential
critical infrastructure personnel.

Meta-Exploitation of Niche
Personnel Enables Cyber-
Kinetic Attacks
Critical Infrastructure depends on
technical and specialized experts whose
knowledge and skill sets often differ
from those around them. As a result,
metadata could expose the physical or
digital locations frequented by niche
personnel in the Energy, Financial, or
Healthcare sectors. The metadata sold
by ISPs after S.J. Res. 34 passed
includes top-level domains and may
include the IP addresses that frequent
those domains. Once a high-profile
target had been identified and profiled
using metadata, the adversary can tailor
personalized lures. For instance, the
attacker could spoof a medical bill,
could send them a surgically precise
urgent email about a medication for their
condition, etc. Alternately, the adversary
could release sensitive data to denigrate
the individual, to devalue a company
through public embarrassment, or to
cause any number of personal or societal
harms.
Specialized critical infrastructure
operators frequent webpages and blogs
pertinent to their fields, which are not
popular among the uninitiated public. A
script kiddie, cybercriminal, techno-
mercenary, digital-jihadist, or nation-
state sponsored advanced persistent
threat (APT), could infect sensitive
systems along at least two vectors. An
attacker could focus on a specific IP
address connected to a target operator.
Cyber-attackers could use metadata to
determine the most popular niche sites.
Energy, healthcare, or financial sector
organizations’ webpages or online
portals might qualify as niche sites.
Next, they could compromise those sites
using script kiddie tools that are freely
available on Deep Web markets and
forums, or they could infect an employee
system via social engineering (site
admins and contributors can be
identified in metadata as the most
frequent and prolonged visitors) and
then laterally compromise the page. The
compromised site can then be used as a
“watering-hole” to evaluate visiting
system parameters and to deliver
customized malicious payloads. In this
manner, a single attacker leveraging only
a small pool of localized metadata might
compromise every niche expert in a
region [6].
Figure 5: Tools to Create Watering-
hole and Drive-by-Download Links
are Cheap
Metadata can tell attackers what sites are
visited by niche personnel, C-level
executives, entry-level staff, voters, or any
other demographic. Script kiddie tools can
be used to generate malicious landing pages
and drive-by-download links. Metadata can
also be paired with psychographic and
demographic Big Data algorithms to create
tantalizing fake news pages.

The adversary could launch a multi-

vector precision targeted spear-phishing
and social engineering campaign that
bombards the victim with spoofed
emails carrying malicious payloads,
from expected sources. One example
would be a spoofed newsletter from a
niche site. Each hyperlink might redirect
the target to a drive-by-download
landing page for a fraction of a second.
In that brief time, their system could be
infected with a single or multi-stage
malware dropper. The dropper could
deliver any number of malware to the
victim system provided it uses
obfuscation mechanisms (such as a
mutagenic hash) sufficient to bypass
consumer anti-malware applications.
Another spear-phishing email might
contain a malicious attachment that
delivers malware by exploiting a zero-
day or disclosed vulnerability in the
Microsoft application suite.
The fake newsletter might also appear to
refresh the page and land the user on a
spoofed login page for their email client.
The adversary captures any credentials
entered into the page before it redirects
the unaware user back to their inbox.
Since far too many un-cyber-hygienic
users reuse the same or slightly altered
credentials across a broad range of sites
or link their diverse accounts to a single
email address, the captured credentials
might grant the actor access to all facets
of the target’s life. At a bare minimum,
the adversary can send malicious emails
from the legitimate account to trusted
contacts that may operate within the
same or similar organizations.
Stuxnet demonstrated that infections
spread from foreign media could hobble
an Energy operation. Most organizations
now operate under a BYOD policy.
Systems infected via the aforementioned
watering-hole, drive-by-download, or
spear-phishing attacks may bring
malware into the network or across an
air-gap. BlackEnergy demonstrated the
viability and devastation of such an
attack. On December 23, 2015,
BlackEnergy infected the
Prykarpattyaoblenegro power plant in
Ukraine and caused a severe outage.
More significant than the immediate loss
of power, the threat actor, who is likely
backed by the Russian state,
demonstrated that the malware, which
has been regularly discovered on U.S.
networks, can severely cripple a
nation’s critical infrastructure as part of
a cyber-physical campaign. The potency
of BlackEnergy derives from its wiper
component, which can erase or brick
systems upon which vital operations
depend. Wipers are increasingly
becoming more prevalent and easier to
spread. Early analysis of the “NotPetya”
malware spread to over 2000 systems on
June 27, 2017, appears to have been a
wiper malware disguised as
ransomware. The self- propagating
malware spread via the EternalBlue
exploit that leverages the MS17-010
SMB vulnerability on unpatched
Windows systems. Unlike the WannaCry
ransomware attack before it, “NotPetya”
was designed to not spread outside
target networks and it did not include a
kill- switch. Consequently, the attack
may have been a trial run of a
widespread wiper attack. Oil
infrastructure and the Chernobyl facility
were infected, but the impact was
limited. WannaCry spread through
unpatched legacy technology and
infected diverse sectors ranging from
Energy to Healthcare to Government.
The “NotPetya” malware may have been
spread via spear- phishing or a poisoned
accounting software update, but it still
impacted Energy, Transportation, Legal,
and other sectors [9]. Future wiper
campaigns that rely on exfiltrated
metadata could precisely target only the
Energy or Healthcare sectors in specific
regions or states, by first infecting
systems belonging to the niche personnel
whose devices connect to those sensitive
networks.

Meta-Exploitation Unmasks
Users with Psychographic
and Demographic
Algorithms
Psychographic and demographic Big
Data analytics can be used to re-identify
individuals based on metadata about that
person. For instance, everyone has a
medical profile that is created from
medical metadata. In 1997,
Massachusetts Governor William Weld
was re-identified within regional
pseudo-anonymized medical data by
pairing the set with a voter registry [6].
Similarly, every user has a distinct web
traffic profile. They visit particular
sites, use the Internet at certain times,
and browse pages in discernable
patterns. Internet users are slaves to their
rhythmic subconscious behaviors. How
many users start their workday by
logging on, checking email, and then
navigating to the same two or three news
sites or web portals? Cybercriminals
can capitalize on psychographic and
demographic re-identification in
lucrative blackmail schemes against any
politician or public figure that can be
linked to unconventional or
embarrassing online activity. A more
sophisticated adversary, such as a state-
sponsored advanced persistent threat
might compel the victim to exfiltrate
information or act according to certain
instructions. Domestic and Foreign
Intelligence and Counter-Intelligence
assets may also be re-identified,
profiled, and compromised through the
increasingly widespread availability of
metadata.
Very few, if any, Internet users are proud
of all of their online activities. The
adversarial application of
psychographic and demographic Big
Data analytics can potentially undermine
democracy and jeopardize national
security [6]. Re-identification could also
be used to “catfish” or lure victims on
gaming, dating, or social media sites into
relationships under the misapprehension
of romance, friendship, etc. Afterward,
the attacker can elicit the exchange of
more incriminating communications. The
mistakenly trusted adversary might be
able to deliver a malicious payload via
email, social media, or another medium,
that the victim normally would not click
on or download. In the past, the Duke-
family of APT demonstrated that even
videos and images could be potent
malicious attachments [10]. Typical
payloads would include tools that
capture the victim’s screen, establish a
persistent presence on the system,
covertly activate the microphone and/or
camera and record audio or video, log
keystrokes, exfiltrate files, and allow for
the remote execution of code on the
system. After the adversary has
exhausted the utility of the victim, they
might leverage stolen credentials to
access sensitive systems or send
additional social engineering lures
through compromised accounts. The
threat of embarrassment or public shame
alone could be enough to coerce a victim
to act as an insider threat.
Figure 6: Remote Access Trojans
(RATs) Spy on Victims
Attackers can drop and install RATs onto
compromised systems. These tools can
capture keystrokes, images, video, and
audio and they can steal documents, emails,
texts, and other communications.

Meta-Exploitation
Transforms Remote
Contractors into Insider
Threats
State Election Commissions are under-
resourced, under-staffed, and over-
burdened with antiquated proprietary
black-box election systems that have not
been phased out despite inherent security
vulnerabilities. Many states manage their
election systems through a combination
of paid officials, volunteers, and
election manufacturer employees. Some
states also rely on external “Election
Consultants” to remotely update and
manage Voting applications and systems.
The consultant has remote access and
unrestricted control of managed systems.
Reports suggest that in the past,
consultants have even uploaded their
own versions of election software to
systems without the knowledge or
consent of election officials. A single
consultant might manage the elections for
multiple counties or states from a remote
location [11].
Election managers are already tenuous
and potential security liabilities.
Bidding contractors tend to falsify
information, and holistic background
checks are rarely conducted on them.
Some work independently from their
home, with no legal regulations on the
security of their devices. Election
consultant organizations regularly
rebrand to attract new clientele.
These consultants act as “first
responders” to any suspicious activity
detected on election applications and
networks. Because they are hired when
the Election Commission lacks the
prerequisite technical expertise, they
essentially police their own activity on
systems. If the PC or laptop used to
remotely access and manage election
systems is infected with malware, that
code could be laterally transmitted to the
central tabulator or another
subcomponent [11]. Using metadata
collected from dragnet surveillance or
ISPs, an adversary can easily identify
and target a remote Election consultant.
After all, web-portals connecting to
election systems are uncommon online
destinations, and connecting traffic from
outside the region or state can easily be
traced back to its source. Adversaries
may target the individual with social
engineering, spear-phishing, watering-
hole, drive-by-download, or Man-in-
the-Middle attacks. Malicious droppers,
RATs, keyloggers, or credential stealers
may be planted on their systems.
Malware might be directly delivered to
election systems, or the threat actor
might auction Access-as-a-Service.

Meta-Exploitation
Undermines Democratic
Institutions
Despite irrefutable proof of the
vulnerabilities inherent in outdated
black-box proprietary voting systems,
local and state election officials insist
that malicious campaigns would be
extremely difficult or impossible due to
stringent security and access
requirements. They fail to recognize that
many machines remain remotely
vulnerable to infection through poisoned
updates, attacks on the central tabulator,
or other modern vectors, which the
nearly two- decade-old systems were
not designed to repel [11]. Officials
themselves are proportionally
identifiable and exploitable in relation
to the prevalence of metadata because
few users connect to specialized
election official web-portals. Recent
reports allege that a malicious adversary
compromised a voting software
vendor’s systems and sent 122 spear-
phishing emails infected with malware
to election officials. The registration and
voting systems of 39 states may have
been compromised in 2016 as a result.
While there is no evidence of an
influence on the outcome of the 2016
election, by spreading infected election
management software, an attacker could
infect individual ballot machines or
central tabulators on Election Day.
Officials argue that the decentralization
of voting systems and processes
sufficiently secures them against
adversarial compromise; however, if a
threat actor infects the central tabulator
or poisons a widely-distributed
application or update, then the entire
process is invalid [12]. Metadata and
historical voting records can be used to
predict the voting record of a region
within a margin of error. To alter the
outcome of an election without arousing
suspicion or inciting a full recount,
attackers only need to ensure that the
altered outcome lies within the allotted
error. Full recounts consume time and
resources and are rarely conducted [11].
Further, for some states, the candidate
challenging the result must pay for the
audit. Grassroots and even mainstream
candidates tend not to be able to afford
the price of an audit immediately after a
contentious election and within the time-
frame specified for audit requests.

Meta-Exploitation Impedes
Financial Systems
Research into businesses, periodic
consultation of stock prices, and secure
connections to financial institutions can
reveal financial sector personnel within
Metadata sets, to cybercriminals, digital
mercenaries, and nation-state APTs.
Threat actors need only identify
financial personnel and deliver novel
variants of Deep Web malware to reap
immense fiscal gains. Consider the
estimated $1 billion success of the
Carbanak APT [13].
The Carbanak group is a criminal
advanced persistent threat group whose
attacks against at least 100 financial
organizations at 300 IP addresses
located in approximately 30 countries
including Russia, the United States,
Germany, China, and Ukraine, resulted
in an estimated $1 billion in losses in the
first half of 2014. The group relied on a
spear-phishing campaign that delivered
sophisticated malware that was
developed from code widely-available
on Deep Web markets and forums.
Analyzed malicious attachments reveal
that the attackers exploited
vulnerabilities in Microsoft Word 2003,
2007, and 2010 (CVE-2012-0158, and
CVE-2014-1761). After successful
exploitation of a vulnerability, the
shellcode decrypted and installed the
Carbanak backdoor on the victim host.
The Carbanak backdoor installed and
then it re-installed a renamed copy of
itself into “%system32%\com” as
“svhost.exe” with system, hidden, and
read-only attributes. After installation,
the backdoor connects to its C2 server
through HTTP (with RC2+Base64
encryption) and downloads a file
(kldconfig.plug) which details which
process to monitor. The kit sets the
Termservice service execution mode to
auto in order to enable Remote Desktop
Protocol (RDP). The backdoor provided
access to the intranet of the victim
organization. Next, the adversary probed
the intranet for other vulnerable targets
and specifically for critical financial
systems. Typically, tens to hundreds of
computers were infected before an
admin system, with the necessary access,
was compromised. If banking
applications such as BLIZKO or IFOBS
are discovered, then a special
notification is sent to the C2 server to
notify the adversary that financial
systems were discovered. Keyloggers,
screen capture, and remote monitoring
tools were deployed on infected
financial systems. The actors wanted to
learn as much as possible about the
digital environment, relevant
applications, and institutional processes
prior to initiating financial transfers via
a remote administration tool (that was
whitelisted and installed by the system
administrators of the corporate
environment). The learned proficiency
within the system and the compromised
credentials and cryptographic keys
precluded the need for additional
exploits [13].
Obviously, not every cyber-criminal
will have the sophistication, resources,
or patience of an APT such as Carbanak;
however, following the initial
deployment of a backdoor or RAT on the
financial system identified through
metadata, a threat actor could sell
Access-as-a-Service, deploy
ransomware, spread a botnet, or
financially capitalize on the compromise
through any number of alternative
vectors that result in immediate fiscal
gains for minimal resource expenditure.
Figure 7: Exploit Kits are Adaptable
to the Victim
RATs and other tools can easily be
tailored to the victim. Metadata can
guide hackers in preplanning that
customization.
Financial C-level management, who
already face significant public and
professional scrutiny, may be
particularly susceptible to re-
identification and compromise. The
access permitted to their credentials may
exceed what is necessary for their
duties. Information Security personnel
may hesitate to question activity
associated with C-level accounts.
Further, the reputational and
organizational impact resulting from the
internal compromise, loss of millions or
billions in funds, and public outcry, will
be more significant if a C-level
executive is found responsible.

Meta-Exploitation Precisely
Tailors Disinformation and
Fake News
The exchange of granular consumer
metadata increases the potential impact,
pervasiveness, and ubiquity of fake
news, propagated false narratives, and
propaganda. This vector is not new, but
it has recently increased in popularity.
Russia’s “the Agency” spread diverting
opinions and consternation for years
[14]. North Korea has a similar bureau.
Cyber adversaries tailor spear- phishing
emails and craft malvertising lures to
capitalize on cyber-hygienically inept
users’ need to follow links and view
attachments. Lures range in complexity
from precise, error-free custom tailored
spear-phishing emails that leverage the
target’s LinkedIn profile, to typo-riddled
inflammatory spam articles; however,
the focus of every social engineering
campaign is to entice a target
demographic of users to share
information, to open an email, to
download an attachment, to visit a
watering-hole site, etc. For cyber
adversaries, social engineering
campaigns are low risk, high probability
of success, low investment, and high
reward. The first victim covers the
resource cost of the campaign, and each
additional victim is a positive gain.
News, fake news, propaganda, and
disinformation campaigns are multi-
vector attacks designed to infect victim
systems and to spread competing false
narratives, disinformation, and discord.
The resulting conflict of “facts” and
clashing of opinions undermines
democracy and weakens national
security [10].
Individuals feel compelled to pay
attention to prolific headlines, trending
stories, and major outlets; especially
when the subjects are sordid, tragic,
alarming, or topical. Their trust for
legitimate and known news
organizations assuages any caution when
following a link or opening an
attachment. Adversaries may
compromise legitimate popular news
sites and utilize them as watering-hole
sites or purchase banner space on the
sites and redirect visitors to malicious
landing pages. Search history
information and top-level domain
content made available through the sale
and insecure storage, transmission, and
handling of highly sensitive metadata
enables adversaries to optimize their
disinformation campaigns for regions,
for specific targets or targets in a
specific sector [10].
Recently, fake news articles have
emerged as a new social engineering
vector that leverages psychological
attributes and interests of targets against
their ingrained cyber-hygiene training
and awareness. Victims interact with
news lures for a number of reasons,
which include a drive to be “up-to-date”
or current; a sense of urgency; socio-
political polarization; curiosity; or fear.
The most effective lures either
incorporate a real news article as an
attachment, as a malicious link to a
compromised site, or as a tantalizing
banner bordering an article tailored to
the potential victims. For instance, in
2014, the Sochi Olympics, the World
Cup, the death of Robin Williams, the
leak of celebrities’ private photos from
the iCloud, global disasters, and other
stories were used as lures by advanced
persistent threat groups such as the
Chinese state- sponsored Naikon APT,
which has launched spear-phishing
campaigns into organizations
surrounding the South China Sea since
2010. It targets geo-political intelligence
from civilian and military government
organizations in the Philippines,
Malaysia, Cambodia, Indonesia,
Vietnam, Myanmar, Singapore, Nepal,
Thailand, Laos, and China [10]. Russian
APTs such as PinchDuke, CosmicDuke,
APT 28, APT29 and Hammertoss, have
used real or fake news lures in past
campaigns. Cybercriminal APTs like
Dropping Elephant and cyber-terrorist
APTs like the Moonlight APT have also
incorporated news lures into their
campaigns.
In 2016 and 2017, APTs and
cybercriminals, popularized malicious
political fake news lures. During the
2016 election cycle, election systems,
including voter registration records,
were targeted in 39 states, DNC systems
were compromised, and data analytics
subcontractors exposed over 200 million
RNC registration records in plaintext
without security controls [12] [15].
When tailoring a fake news or any other
attack, the prevalence of more personal
information is directly proportional to
the probability that the target will
respond to the lure. Combining exposed
voter registration records with
purchased or exfiltrated metadata
empowers threat actors to craft
tantalizing or infuriating political and
issue based lures that bypass victims’
cyber-hygiene training and awareness to
spread malware, competing false
narratives or polarizing information
amongst typical voters and between
extreme left-wing and right-wing
communities.
Meta-Exploitation Disrupts
Energy Systems
Whale-phishing is the practice of
precision targeting a privileged or
lucrative victim within a subset of
potential targets. The metadata
erroneously and insecurely stored within
private and public sector databases and
naively sold by ISPs facilitates attacks
on system administrators and corporate
executives. Metadata exacerbates the
cybersecurity vulnerabilities and
liabilities lingering from the transition
into the digital age. Training the C-suite
to understand, care, and practice
cybersecurity and cyber-hygiene are
already one of the greatest challenges of
Information Security professionals. No
one wants to dictate instructions to their
bosses. Information Security personnel
in hierarchical sectors are already
struggling to combat the tendency of
superiors deciding they are personally
exempt from security policy and best
practices.
The U.S. Energy sector consists of 7,000
power plants, 55,000 substations,
160,000 miles of high-voltage
transmission lines, and 66 balancing
authorities. Modernization is
complicated by the size of the grid and
the necessity for the constant
transmission of power [16]. Targeting
the C-suite may be an attacker’s best
chance of spreading a persistent and
sophisticated malware onto the network
because management often
(unnecessarily) has administrative
credentials that exceed the needs and
duties of their role within the
organization and because most personnel
will follow lures sent from their
superiors.
The sector is targeted by Russian APTs
like Energetic Bear, Uroburos,
Sandworm, CosmicDuke, MiniDuke, and
numerous others. Chinese APTs, Axiom,
NetTraveler, Deep Panda, etc. also
attack Energy systems. Chinese APT 3
even launches whale-phishing
campaigns against Energy executives.
Iranian Tarh Andishan, cyber-mercenary
Dropping Elephant, cyber-terrorist
collectives such as the Cyber Caliphate,
and hail-mary threat actors focus their
attacks on the sector because it relies on
legacy systems, because every citizen is
a customer to the sector, and because
attacks against the grid have the greatest
potential for cyber-kinetic impacts.
Altering electricity distribution
parameters, redirecting pipes, pressure,
or flow, or any number of minuscule
deviations from operational norms can
result in disproportionately impactful
cyber-kinetic results such as blackouts,
burst pipelines, etc. Many within the
Energy sector still rely on security-via-
obscurity or decentralization-as-security
instead of modernizing to layered
Figure 8: Mercenary Hackers are
Available
Mercenary hackers are cheap,
accessible, and common on Deep Web
markets and forums. Their services
are frequented by script kiddies, cyber
criminals, hail-mary threats, cyber-
jihadists, and other attackers in multi-
layered campaigns
Compromising a naïve or “old-world”
executive is an attacker’s greatest
opportunity of severely compromising or
crippling an Energy organization. The
negligent exchange of metadata exposes
personal preferences, interests, and
communications of Energy executives.
Every variety of adversary can leverage
that information in precision tailored
social engineering or watering- hole
attacks. Those without the technical
means, such as hail-mary threats, may
outsource the initial infection or stages
of the multi-vector attack campaign to
cyber-mercenaries. For instance, a hail-
mary actor like North Korea might hire
one or more cyber-mercenaries to
disrupt an Energy organization. After
using Metadata to profile, target, and
whale-phish an Energy C-level, or using
metadata to identify and compromise a
less secure site where they reuse
credentials, a cyber-mercenary might
send additional phishing emails to lower
level personnel or sell access-as-a-
service to additional attackers. The hail-
mary actor might disrupt distribution,
interfere with the parameters of legacy
systems, deliver wiper malware, or
launch a cyber-kinetic attack on the grid.
Figure 9: Hacker-for-Hire Outfits are
Recruiting
Even adversaries who lack technical skills
enough to exploit metadata can use it to
launch tailored attacks by contracting
cyber-mercenaries on Deep Web forums.
Script kiddies, cyber-jihadists, hail-mary
threat actors, and APTs outsource layers of
their attacks. The market is so fruitful that
many operations have begun recruiting
additional talent. The practice has become
so normalized that the listings resemble
traditional job postings.

Meta-Exploitation Cripples
the Healthcare Sector
Figure 10: The Healthcare Sector is
Plagued by Custom Ransomware and
Ransomware-as-a-Service
The healthcare sector is submerged in a
ransomware epidemic. Healthcare systems
are particularly susceptible to ransomware
because they are antiquated and because
lives are jeopardized every minute that they
are offline. Ransomware-as-a-Service and
customized malware can be purchased from
Deep Web stores such as the Rainmaker
Labs pictured in Figure 10. The adoption of
modernized systems and layered defenses
will do little to deter the onslaught of
malicious campaigns if adversaries can
precision target exhausted, over-exerted,
and un-cyber-hygienic personnel in
metadata-driven social engineering
campaigns.

The healthcare sector guards a treasure

trove of valuable and highly sensitive
electronic healthcare records. As a
resourceful yet significantly vulnerable
economic category, it is also the frequent
victim of ransomware campaigns. For
instance, the May 12, 2017, WannaCry
attack infected 48 NHS Trust facilities
in the UK. One of the challenges of
securing medical systems is that
healthcare facilities rely on numerous
staff from diverse backgrounds and on
patient security [17]. If a single infected
BYOD device enters a hospital, the
medical network connecting multiple
hospitals could be infected and crippled
in minutes or hours. Recent efforts have
attempted to modernize medical systems,
protect medical devices behind layered
security, and train staff in basic cyber-
hygiene. The forfeiture of metadata
detracts from that progress by directing
attackers to which sites to infect as
watering-holes, where to place drive-
by-download banner ads, or even which
devices to infect. Chances are that the
next stop for visitors to WebMD or
similar digital diagnoses services is a
medical facility. Similarly, the PHI
networks, cloud services, niche journals,
and telecommunication channels
employed by medical professionals can
likely be used to identify them. Doctors,
nurses, administrators, and other
medical staff are notoriously stressed
and distracted. They are prime targets
for adversarial exploitation. Further,
many resort to unsavory vices to mitigate
the pressures of their work. Enterprising
adversaries could leverage their
distraction with “urgent” spear-phishing
emails to infect medical networks with
ransomware, cyber-kinetic malware, or
other malicious code, or they could
blackmail medical professionals with
their online metadata to entice them to
exfiltrate IP, PII, or EHR, or to infect
network systems. Once the system is
infected with a persistent backdoor, the
adversary can sell Access-as-a-Service,
or they can spread ransomware, RATs,
keyloggers, password dumpers, or other
malware that captures the screen,
camera, or microphone, onto critical
systems. The adversary can exfiltrate
and sell PII and EHRs on Deep Web
markets and forums. The combination of
these records and metadata may increase
the utility and value of “Fullz.” In
addition to identity theft, blackmail,
financial fraud, etc. adversaries will
find novel vectors to further exploit
patients based on their medical
information and metadata. The potential
cascading impacts are unparalleled
because hackers will own both “who a
victim is” and “how a victim behaves.”
Patients, who may not be aware of the
compromise, cannot change the
fundamental and biological
characteristics of their identity.
Consequently, attackers will virtually
own the victim for years or decades. It is
a close wager whether malicious
hackers, negligent ISPs, or irresponsible
healthcare organizations will capitalize
most on the fate of patients’ whose
essential identity was packaged as
metadata and sold to any entity with a
budget.
 5 | The Surveillance
State and Censorship
Legislation
Conundrum

Dragnet Surveillance &

Censorship Legislation Will Do
Nothing to Eliminate Cyber
Jihad & Lone Wolf Recruiting

Backdoors for the Good

Guys, Means Backdoors for
the Bad Guys
Cyber-insecurity is not a natural
problem; it is unintentionally caused by
a combination of the negligence, naivety,
and ignorance of irresponsible data
managers or it is intentionally resultant
of the actions of malicious insiders,
unknown threat actors, or reckless data
stewards. Cybersecurity does not follow
the laws of the physical world. For
instance, the public relies on the
government to protect it from or respond
to floods, earthquakes, or other natural
disasters. The public relies on
government for defense from military
excursions. Where the government
cannot directly prevent or respond to a
disaster, the public depends on the
government to responsibly regulate
protections; as is the case with building
security and other regulations.
Meanwhile, in the realm of
cybersecurity, the public is increasingly
reliant on private businesses to
responsibly protect data and freedoms,
even though those same organizations
have repeatedly failed to do so in the
past because repeated government
legislative efforts critically jeopardize
the security and privacy of the public.
Recently, state agencies have begun
initiatives to inject backdoors, weaken
encryption, and exploit discovered or
implanted system vulnerabilities in
attempts to identify early indicators of
terrorist activity, to locate and
apprehend suspected criminals, and to
dismantle adversarial networks or
disable dangerous technology.
Requirements to weaken encryption or
intentionally hobble an otherwise secure
application primarily impact consumers
(whose data is stolen and abused) and
small and medium businesses and non-
profits (who cannot afford cyber-
insurance or the lawsuits resulting from
a breach) [1]. Further, the establishment
and expansion of dragnet surveillance
capabilities presuppose an intentionally
permanent instability of national and
global communication networks. System
vulnerabilities are unanimously
exploitable by script kiddies,
cybercriminals, techno-jihadists, digital
mercenaries, nation-state advanced
persistent threats (APTs) and the
agencies which introduce or require the
vulnerability in the first place.
Governments are thereby complicit in
every attack that leverages that flaw.

The Rise of the Lone-Wolf

Threat & Ease of Cyber
Jihad
Self-polarized lone wolf threat actors
are the new profile of terrorists (of all
varieties and denominations) across the
globe. Before the internet, troubled
individuals often did not radicalize to
the point of action because in order to do
so they had to physically identify, locate,
and connect with a tangible local
congregation of like-minded individuals.
Now on the Internet, radicalization can
occur instantly and anonymously within
significantly larger and more
geographically distributed groups.
Statistically, physical membership in
hate groups has actually diminished
because troubled lone wolves can
instantly gratify and cultivate their
radical beliefs, they can remotely plan
their assaults with online resources
(Google Maps, etc.), and they can
consume propagandist narratives to
model their campaigns around and to
assure them that their purpose is worth
serving and that their sacrifice will be
remembered.
Lone wolf threat actors feel isolated and
turn to the internet for community and
purpose. Their online accounts exhibit
behaviors of seeking attention,
polarization, and further isolation as
those that they interact with subjugate
them or disagree with their adopted
ideology. Once they feel that they can no
longer communicate with the online
communities of their past, their only
outlet becomes the radicalization
network which capitalizes on their
seclusion and desire for attention,
renown, or purpose. Social media
recruitment channels and keywords, such
as Twitter hashtags, can be used to track
radicalization efforts or dismantled to
diminish the propagation of recruitment
materials. Identifying, monitoring, and
apprehending recruiters, potential
recruits, and radicals can preempt
attacks, but it will only delay the overall
campaign as no individual is
indispensable to the network.
In every country targeted by self-
radicalized lone wolves, Law
enforcement is overexerted and under-
resourced. National or global dragnet
surveillance initiatives will only further
exhaust agencies resources and further
obfuscate adversary communiqués
within a massive cloud of noise. Instead,
law enforcement should concentrate on
monitoring Deep Web forums and on
dismantling the distribution channels and
generation resources of radicalization
propaganda materials. Lone wolf threat
actors research, recruit, and discuss
their plans, within radical online
communities prior to actually launching
the physical attack because, at their root,
they desire recognition and a like-
minded community more than they
believe in their actions. These are
troubled individuals who want to be
remembered for something, and they
often seek affirmation that someone in
some online community will remember
their narrative. The polarizing
publications distributed on the open
Internet and Deep Web contain
radicalization campaigns, intended
attacks blueprints, choice targets, etc.
and they are pivotal in terrorist
campaigns. For instance, in November
2016, ISIS’s publication Rumiyah,
published articles urging Western
readers to utilize rented trucks and
handheld weapons in multi-stage public
attacks. The article included
infographics and characteristics of
vehicles and physical weapons to avoid.
This template almost definitely
influenced the London Bridge and other
recent campaigns. Other publications
include Kybernetiq and Dabiq. The
magazines regularly include spreads
detailing “hagiographies of mujahids”
who died in Western assaults. The
profiles appeal to vulnerable and
susceptible individuals and are
extremely influential in the
radicalization process because they
promise infamy and purpose to those
who have none.
Nation-state dragnet surveillance of the
open and free Internet will be more
detrimental to global populations than
sophisticated Intelligence and Counter-
Intelligence efforts that precisely
monitor and target recruitment channels.
Adversaries can always find new
message boards, encrypted messengers,
etc. to utilize in their terror campaigns.
Average citizens cannot. In fact, no
national or global effort to surveil
civilian web traffic can map, control, or
monitor Deep Web, where most
nefarious activity occurs. Even tracking
sophisticated adversaries who rely on
multiple jump boxes or VPNs would be
difficult or impossible. Every effort that
reduces freedoms or invades privacy is
in a way, a secondary adversarial
victory because it is a self- inflicted
social harm on the free world without
significantly impeding adversarial
campaigns. Radicals have little or no
switching costs in their communication
and recruitment mediums. It costs them
nothing but time and human resources to
create more Twitter accounts or set up a
new Deep Web site. A greater impact
can be achieved by surveilling specific
communications, identifying code
words, etc. than on mass surveilling
entire populations and attempting to
discern radical rhetoric through the
noise. Instead of targeting disposable
assets, resources would be more
effectively spent targeting key figures
and infrastructure in the propaganda
machine. Consider the publications used
to polarize many lone wolf actors are
pretty professional. There cannot be
many graphic designers or publishers
within ISIL.
The retraction of civilian freedoms is a
knee-jerk reaction that only benefits
adversaries in the long-term because
they can adapt and utilize unconventional
mechanisms; whereas average civilians
cannot. Even the repeated campaigns to
backdoor or decrypt WhatsApp
missives, if successful, would deprive
citizens of private and secure messaging
while adversaries could transition to
Deep Web communication mechanisms
or even to unconventional channels such
as mobile game chat rooms. Any effort
to monitor all Internet traffic or to censor
particular dialogues is a dangerous
slippery slope that will inevitably inflict
societal harm far exceeding any
transitory advantage over radical
adversaries. Any and every freedom
sacrificed out of fear of a threat is
nothing but a concession to their cause
and an affirmation that they should
continue their efforts [2].

The Failed U.K.

Surveillance State Will
Become Weaker with
Backdoors and Dragnet
Censorship Legislation
Dragnet surveillance legislation has
propagated in response to recent terror
incidents that were catalyzed by digital
propaganda and polarization
mechanisms. In March, a car-and-knife
attack on Westminster ended with five
casualties. The May Manchester
bombing killed 22 civilians. The London
Bridge terror attack resulted in seven
deaths and dozens of injuries following
a van- and-knife assault. Following the
London Bridge terror attack, May
commented, We cannot allow this
ideology the safe space it needs to breed
– yet that is precisely what the internet,
and the big businesses that provide
Internet-based services provide,” she
continued, “We need to work with allied
democratic governments to reach
international agreements to police
cyberspace to prevent the spread of
extremist and terrorism planning.” The
Conservative Tories have committed
wide-ranging plans to regulate the
Internet in an attempt to deter digital
radicalization of lone-wolf threat actors
and other terrorists [3]. They believe
that the digital world and the tangible
world should both be delimited by the
same strong rules. The believe, “Our
starting point is that online rules should
reflect those that govern our lives
offline,” and continue, “It should be as
unacceptable to bully online as it is in
the playground, as difficult to groom a
young child on the internet as it is in a
community, as hard for children to
access violent and degrading
pornography online as it is in the high
street, and as difficult to commit a crime
digitally as it is physically” [4]. Their
plan is to transform the UK into a global
leader in the regulation and use of the
Internet and personal data [3]. The
document states “Some people say that it
is not for government to regulate when it
comes to technology and the internet. We
disagree.” Members of the party
confirmed to journalists that the phrasing
indicates intentions to restrict what can
be shared, posted, or published online
[4]. It repeatedly suggests that the
government may even decide which
news stories from which news sources
may be published online [3]. It may also
change how online firms are paid for
digital content or services [4]. Prime
Minister Theresa May suggested that an
international agreement regulating online
content was necessary to stymie terrorist
ideologies and she is seeking a global
commitment from technology firms and
governments to monitor and regulate
web traffic; especially communications.
At a campaign event, she stated, “We do
need to have those international
agreements to control cyberspace so that
terrorists cannot plan online” [3] [5]
This motion to control cyberspace
follows the Investigatory Powers Act,
which allows the government to compel
Internet corporations to record
consumers’ browsing history and to
empower ministers to break WhatsApp
and other message encryption. The Act
requires ISPs to maintain a list of
Internet users’ online visits for one year,
it grants intelligence agencies more
power to intercept digital
communications, and it allows Police to
access stored browsing history without a
warrant or court order. The government
is encouraging technology companies to
incorporate backdoors into encryption
messaging services and other secure
programs even though doing so weakens
the security and privacy of all other
users and injects dangerously
exploitable vulnerabilities into the
programs [4]. Weakening encryption,
installing backdoors, etc. seriously
endangers customers and their data and
the processes undermine business
activities. Data is transitory, and the
Internet is an open and shared
commodity. Asymmetric regulation
could destabilize global economies or
incite geopolitical conflicts.
International corporations or
organizations that process international
web traffic would be specifically
impacted because their compliance with
dragnet surveillance regulations violates
laws in other areas where they operate.
In point, without an international
agreement, Internet Service Providers
cannot comply with any UK initiatives
that would authorize the monitoring of
users on behalf of the UK government
because it would break laws in other
countries and incite international
conflicts.
Under the Tories plan, Internet
companies are subject to a levy that will
fund advertising campaigns that espouse
the dangers of the Internet and that
“support awareness and preventative
activity to counter internet harms.” The
dragnet surveillance initiatives
suggested by UK leadership could lead
to policies that block or shut down
websites and companies that either
refuse to block content or refuse to
allow communications to be monitored.
In a section entitled “the safest place to
be online”, the manifesto justifies this
level of dragnet surveillance and public
chilling by claiming, “In harnessing the
digital revolution, we must take steps to
protect the vulnerable and give people
confidence to use the internet without
fear of abuse, criminality or exposure to
horrific content.” Overall, the
regulations could lead to government
censorship of the Internet similar to the
Great Firewall of China. In response to
an inquiry on whether she would dismiss
China-style digital censorship, May
stated only that she would “work with
companies.” She also did not discount
the possibility of shutting down Internet
entities that refused to comply with
instituted dragnet regulations. As a point
of note, even China’s Great Firewall is
regularly circumvented, and it does not
prevent Chinese Deep Web communities
from forming.
Establishments that refuse to comply
with the Investigatory Powers Act or
other privacy- invasive regulations will
be subject to strict and formidable
punishments. The proposal introduces a
sanctions regime that enables regulators
to fine or prosecute organizations that
fail or refuse to execute their legal duties
to remove content that is in violation of
UK law. The government does not
believe that the risks to consumers
outweigh the potential benefits, that the
invasive security measures or weakened
privacy protections jeopardize citizens,
or that the regulations will significantly
disrupt businesses operations.
Multiple technology firms have also
warned against hasty attempts to
increase regulation or control of the
Open Internet as a knee-jerk response to
kinetic terror campaigns since the
measures would substantially inhibit
conventional usage and traffic and it may
barely impact adversarial operations. A
majority of cyberspace is controlled by
private companies such as Google and
Facebook. These laws would undermine
that control by regulating what content
can be published, where it can be
posted, and in some cases, how it can be
presented. For instance, the manifesto
states, “We will put a responsibility on
industry not to direct users – even
unintentionally – to hate speech,
pornography, or other sources of harm”
which suggests that it may prevent
search engines like Google from
directing users to any adult-content.
Restrictions would be placed on
viewing pornographic websites and any
exceptions to access that content would
have to be justified and approved by
ministers [4].
According to the Opens Rights Group,
any approach to regulating the Internet,
to monitoring communications, or to
weakening encryption increases the risk
to private infrastructure and public
safety. The group opines that adding
government controls on the content of
cyberspace would do little to enhance
public security and it might make future
terrorist operations more difficult to
detect and prevent [6]. Cyber-jihadist
and other radical networks will respond
to any amplified regulation or
monitoring by burrowing deeper into
unorthodox communication channels and
Deep Web [6]. While pushing these
networks into more obfuscated channels
will decrease the number of monthly
recruits, as the recruitment and
propaganda distribution points are
technologically harder to find, there is
no guarantee that it will significantly
deter the dedicated “wound-collectors”
who eventually develop into lone-wolf
threats.
Dragnet surveillance proposals capture
millions of users in a net of privacy
invasions and instituted web insecurities
in an attempt to catch a few elusive
threats. Actions to regulate or censor the
global Internet run counter to its purpose
as a free and open network. Prime
Minister May’s proposal ignores that
many of those complicit in recent terror
attacks were already known and actively
surveilled by intelligence communities.
Sweeping mass surveillance may only
augment the noise surrounding imminent
threats and increase the workload of the
already overwhelmed law enforcement
community tasked with identifying,
monitoring, and preempting threats [7].
The goal of these proposals is to ensure
that there is no “safe space for terrorists
to be able to communicate online”;
however, there is no evidence that such
measures will significantly hinder
adversarial operations more than they
inhibit public privacy and freedoms [4].
In attempting to combat fake news and
polarizing propaganda, the Tory
manifesto “[takes] steps to protect the
reliability and objectivity of information
that is essential to our democracy”;
however, it could seriously infringe on
citizens’ rights to express themselves or
to voice dissent from whomever
currently leads the government. After all,
who does the government intend to
appoint to determine whether news
stories or social media posts are
reliable or objective? If ideally
implemented, no political propaganda
(of any party) could be spread online.
The stark reality is that such subjective
governance (as the monitor would likely
be appointed by the controlling party)
could be abused to silence political
opponents as much as nonconforming
citizens.
Dragnet surveillance is not limited to the
UK. In Germany, authorities rely on state
surveillance software, which is secretly
installed on mobile phones and sends
data to prosecutors. In 2016, Austrian
Interior Minister Wolfgang Sobotka
promoted a bill to impede terror
communication networks by undermining
the security and cryptographic
mechanisms implemented on certain
messaging applications. Austrian Justice
Minister Wolfgang Brandstetter
championed a similarly invasive bill.
Following the Manchester terror attack,
the Social Democratic Party of Austria
and the Austrian People’s Party pushed
for enhanced government dragnet
surveillance to assuage terror threats
[8]. In contrast to emerging dragnet
surveillance laws in multiple countries,
a European parliamentary committee
pushed forward draft legislation that
would protect personal privacy and ban
backdoors into end-to-end encryption
applications [7].
Under the Telecommunication
(Interception and Access) Act of1979,
Australian telecommunication service
providers are required to store all users’
metadata. The data are required to be
encrypted and protected from
unauthorized access or interference;
however, the cryptographic algorithm
employed and storage location of the
metadata are not specified.
Consequently, massive pools of
sensitive data remain vulnerable as
individual service providers under-
secure the information. The metadata
includes Internet and communication
records of public servants, critical
infrastructure operators, C-level
executives, diplomats, politicians,
private citizens, etc [20].
On October 13, 2015, Australia passed
the Data Retention Bill requiring ISPs to
record the web activity of every citizen
[19] [20]. The bill limited which federal
government departments could access
the metadata; but, some entities have
attempted to bypass the legislation by
requesting that the Australian Federal
Police (AFP) conduct searches on their
behalf. These departments include the
Australian Taxation Office (ATO), the
Department of Foreign Affairs and
Trade (DFAT), the Department of
Agriculture, the Department of
Education, and the Department of Social
Services. Advice to consult AFP
allegedly came from the Attorney-
General’s Department. To their credit,
AFP has declined the requests, citing
“resource, compliance, and risk
considerations.” The access restrictions
were implemented to assuage public
policy concerns. Nevertheless, 61
government entities applied to be
classified as enforcement agencies to
gain access to consumers’ metadata. At
the time of this writing, none had been
confirmed by the Attorney-General’s
Department [20].

Surveillance is Not Security

Rather than pass laws forcing companies
to responsibly secure and handle data
according to cybersecurity best practices
and consumers best interests,
governments are participating in the
same reckless behaviors such as failing
to secure systems and data, ineffectually
detecting insider threats, and naively
injecting backdoors into sensitive
systems and consumer goods [7]. The
US government, like every other
government, has not proven itself
capable of adequately secured its data
and systems. In 2010, US Army
Intelligence Analyst Bradley Manning
disclosed three-quarters of a million
documents concerning Iraq and
Afghanistan. In 2013, Edward Snowden
exfiltrated thousands of documents
related to the NSA, GCHQ, and global
surveillance, intelligence, and counter-
intelligence initiatives. In 2016, the
ShadowBrokers leaked, sold, and
exploited tools allegedly developed by
the NSA [9]. In 2017, contractor Reality
Winner exfiltrated and leaked documents
related to Russian military intelligence
[10]. In 2017, WikiLeaks released
“Vault 7”, alleging that the disclosed
tools were used by the CIA to target
smart TVs, mobile devices, and other
IoT devices by leveraging undisclosed
vulnerabilities and backdoors.
The White House recently voiced its
support for a permanent reauthorization
of Section 702 – a surveillance authority
that monitors millions of Americans
under the premise of monitoring
foreigners likely to communicate
“foreign intelligence information.”
According to Thomas Bossart, a
homeland security advisor to President
Trump, Section 702 “does not permit the
targeting of Americans. The authority
expressly forbids intentional targeting of
a United States person for surveillance.”
However, critics contend that existing
law permits the FBI and other federal
agencies to search data collected under
Section 702, for info about Americans,
without a warrant or formal
investigation, in cases unrelated to
national security or terrorism. Bossart
continues, “Over nearly a decade of
rigorous oversight, no intentional abuse
of the Section 702 authority has ever
been identified, and the government has
quickly taken action to rectify
unintentional mistakes.” A declassified
2011 FISA court opinion details the
collection of 250 million digital
communications under Section 702 that
were to be retained for a default of five
years. As such, opponents to 702 assert
that over a billion communications may
be stored on government servers and that
roughly half of those files contain
information about Americans. There has
been a litany of cases alleging unlawful
searches of Americans’ information,
improper conveyance of that data with
third-parties, and failures to handle
attorney-client communications
appropriately. While the Privacy and
Civil Liberties Oversight Board of the
Executive branch is meant to oversee the
program, both President Obama and
President Trump failed to appoint
nominees for its chair [11] [12].
Under Section 702, a federal court can
approve and supervise the collection of
foreign persons’ information in foreign
countries that happen to use American
communication infrastructure and
services. However, the Foreign
Intelligence Surveillance Court
approves the entire Section 702 program
annually in secret proceedings. It never
analyzes whether grounds exist to merit
the monitoring of an individual [11].
This is akin to approving wiretappings
en-masse without necessitating
justification or cause per case. Consider
that according to a 2016 report, in 34
years, the court approved 35,000
applications and only rejected 12
requests for foreign surveillance under
the Patriot Act [13].
The intelligence agencies recently
adopted a policy to limit the Section 702
Upstream program, whereby the
government monitors Americans’ web
traffic via the Internet backbone, for data
related to over 100,000 targets.
However, the administration expressly
reserved the right to restart the program
and continue to collect information under
Upstream [11].
Dragnet Surveillance
Cannot Stymie Terrorism,
But A.I. Can
In August 2016, a UK government
committee said that Facebook, Twitter,
and Google have been “failing to tackle
extremism” and the Home Affairs Select
Committee said the social networks need
to show a “greater sense of
responsibility” and they should use their
earnings to help solve problems in the
online world. In early 2017, Google lost
millions in advertising revenue on its
YouTube platform when brands
boycotted in reaction to their ads
appearing before or next to extremist
videos. In response, Google adopted a
machine learning and artificial
intelligence system that utilized video
analysis models that rely on content
classifiers to discover more than half of
the terrorism-related content removed
from YouTube in the past six months.
Obviously, artificial intelligence and
machine learning alone cannot detect all
adversary activity nor can they perfectly
prevent false positives that
unintentionally remove legal user
content. But the solutions better ensure
security and privacy than censorship or
dragnet surveillance. Artificial
intelligence and machine learning
systems are taught by humans to increase
gradually in accuracy and efficiency.
The system is trained by operators while
independent experts still respond to
flagged content. YouTube was accused
of hosting extremist content in the
immediate backlash following the
London attacks, and they have since
expanded the efforts of their Jigsaw
group, which points those seeking
radical videos to anti-terrorist content
instead. Similarly, Facebook is
leveraging machine learning algorithms
to identify and remove extreme content
using indicators such as friend count,
connections to accounts disabled for
terrorist activity, or similarities to said
accounts [14]. The algorithms also mine
words, images, and videos to root out
propaganda and messages. Hashes or
digital video fingerprints are also used
to flag and intercept extremist videos
before that are posted. Artificial
intelligence is also being used to analyze
text that has been removed for
supporting or praising terrorist
organizations, to identify other
propaganda, and to ferret out private
groups that support terrorism. [15].
Rather than censor the entire Internet in
an attempt to sift through the dynamically
increasing pool of user data for the few
extremists, state entities could leverage
artificial intelligence and machine
learning systems to identify potential
lone-wolves prior to polarization or to
distinguish shifts in the propaganda
delivery channels. After all, if Facebook
can implement an algorithm that
identifies whether users are depressed
and if so, alters their content to improve
their mood, is it out of the realm of
possibility for intelligence agencies to
discover developing lone-wolf threat
actors prior to radicalization based on
their distinct profiles and redirect them
to accepting communities that provide
them a sense of purpose and meaning
without the extremism [16]?

Adversaries Will Exploit

Backdoors and Weakened
Encryption
Terrorist attacks existed long before the
Internet, and they will continue even if
online communications are monitored
and regulated. If anything, the open and
free Internet encourages them to use
convenient communication channels
which might be actively and
unknowingly monitored by law
enforcement; whereas, widespread
dragnet surveillance will
overwhelmingly increase the noise
surrounding confidential missives, and
will inspire threat actors to communicate
via more secure and less obvious
channels or more challenging to monitor
portions of the Internet, such as Deep
Web, massive multiplayer online games,
single- use email clients, etc.
Governments are responsible for
securing their peoples’ data and for
ensuring that private companies likewise
secure data in transit, at rest, and during
processing. Introducing backdoors into
applications and systems forces data
stewards to willingly undermine the
cybersecurity of their systems and data.
Consequently, those systems and data
are at significantly greater risk of
compromise from every adversary
capable of discovering and exploiting
the intentional vulnerability in the
system. Even just weakening encryption
significantly heightens the threat to
consumers because otherwise, the threat
actor would not be able to abuse any
stolen data. Further, cybersecurity is
fundamentally governed by cost-to-
rewards ratios and risk assessments
pertaining to adversarial investment of
resources and organizational defenses.
Once encryption is weakened, more
adversaries will target the system
because they will need less skill, time,
etc. to breach the defenses and they have
a greater chance of compromising the
weakened encryption so that they can
leverage the data in future campaigns,
fraud, etc. Essentially, by requiring
organizations to weaken encryption and
introduce exploitable vulnerabilities into
their applications based on the
speculation that doing so could possibly
lead to the detection of a few more
kinetic assailants, governments are
explicitly guaranteeing that a maximum
of cyber-threat actors successfully
compromise public and private sector
systems and exfiltrate treasure troves of
PII, PHI, IP, and other data, at a minimal
cost of resources.
 CONCLUSION
Metadata is collected and sold by
negligent and avaricious ISPs at a severe
risk to consumers, private businesses,
federal entities, and national security.
Energy, Healthcare, Finance, Defense,
and every other sector are violently
susceptible to the precision targeting of
C-level executives, niche personnel,
average consumers, etc. facilitated by
the adversarial adoption and malicious
exploitation of users microscopically
detailed Internet browsing histories and
behaviors used in combination with
existing social engineering schemes,
exploit kits, and sophisticated custom
malware. When paired with Big Data
psychographic and demographic
algorithms, artificial intelligence, and
machine learning, metadata catalyzes
and optimizes fake news, propaganda,
disinformation, and false narrative
campaigns which undermine democratic
institutions, national stability, and
economic markets. Cyberwarfare is
already being waged in the kinetic,
digital, and mental realms using
metadata as the primary weapon to
successfully target and compromise
public and private entities. Regulating
the exchange of customer information,
limiting dragnet surveillance initiatives,
mandating the security of data in transit,
storage, and processing and prohibiting
ISPs from haphazardly and negligently
capitalizing from their paying customers,
are the only ways to mitigate the
emerging meta-data driven cyberwar.
 CONTACT
INFORMATIO

ICIT Contact Information

Phone: 202-600-7250 Ext 101
E-mail: http://icitech.org/contactus/
ICIT Websites & Social Media
www.icitech.org
https://twitter.com/ICITorg

https://www.linkedin.com/company/institu
for-critical-infrastructure- technology-
icit-
https://www.facebook.com/ICITorg
 SOURCES

[1] Cole, D. (2014). ‘We Kill People

Based on Metadata’. [online] The New
York Review of Books. Available at:
http://www.nybooks.com/daily/2014/05/1
kill-people-based-metadata/ [Accessed
30 Jun. 2017].
[2] Marr, B. (2017). What Is Metadata?
A Simple Guide to What Everyone
Should Know. [online] Data Informed.
Available at: http://data-
informed.com/what-is-metadata-a-
simple-guide-to-what-everyone-should-
know/ [Accessed 30 Jun. 2017].
[3] Masnick, M. (2017). No, You Can’t
Buy Congress’s Internet Data, Or
Anyone Else’s. [online] Techdirt.
Available at:
https://www.techdirt.com/articles/201703
you-cant-buy-congresss-internet-data-
anyone-elses.shtml [Accessed 30 Jun.
2017].
[4] Scott, J. and Spaniel, D. (2016).
China’s Espionage Dynasty: Economic
Death by a Thousand Cuts. [online]
Amazon.com. Available at:
https://www.amazon.com/Chinas-
Espionage-Dynasty-Economic-
Thousand/dp/153532743X/ref=asap_bc?
ie=UTF8 [Accessed 30 Jun. 2017].
[5] Scott, J. and Spaniel, D. (2017).
ICIT Analysis – S.J. Res. 34 –
Introduction of Privatized Censorship.
[online] Icitech.org. Available at:
http://icitech.org/icit-analysis-s-j-res-
34-introduction-of-privatized-
censorship/ [Accessed 30 Jun. 2017].
[6] Scott, J. and Spaniel, D. (2017).
ICIT Publication: Dragnet Surveillance
Nation: How Data Brokers Sold Out
America. [online] Icitech.org. Available
a t : http://icitech.org/icit-publication-
dragnet-surveillance-nation-how-data-
brokers-sold-out-america/ [Accessed 30
Jun. 2017].
[7] MIT Technology Review. (2016). A
machine can tell whether you’re
depressed just by looking at your photos
on Instagram. [online] Available at:
https://www.technologyreview.com/s/602
an-algorithm-learned-to-identify-
depressed-individuals-by-studying-
their-instagram/ [Accessed 30 Jun.
2017].
[8] Scott, J. and Spaniel, D. (2017). The
Anatomy of Cyber-Jihad: Cyberspace is
the New Great Equalizer. [online] ICIT.
Available at:
https://www.amazon.com/Anatomy-
Cyber-Jihad-Cyberspace-Great-
Equalizer/dp/1535193360/ref=tmm_pap_s
_encoding=UTF8&qid=&sr= [Accessed
30 Jun. 2017].
[9] Ivanov, A. and Mamedov, O. (2017).
ExPetr/Petya/NotPetya is a Wiper, Not
Ransomware - Securelist. [online]
Securelist.com. Available at:
https://securelist.com/expetrpetyanotpetya
is-a-wiper-not-ransomware/78902/
[Accessed 30 Jun. 2017].
[10] Scott, J. (2017). “Fake News” Is
“Old News” for Nation State and
Mercenary APTs. [online] Icitech.org.
Available at: http://icitech.org/fake-
news-is-nothing-new-for-nation-state-
and-mercenary-apts/ [Accessed 30 Jun.
2017].
[11] Scott, J. and Spaniel, D. (2016).
Hacking Elections is Easy!: Preserving
Democracy in the Digital Age. [online]
Amazon.com. Available at:
https://www.amazon.com/Hacking-
Elections-Easy-Preserving-
Democracy/dp/1539850102/ref=asap_bc?
ie=UTF8 [Accessed 30 Jun. 2017].
[12] Fessler, P. (2017). If Voting
Machines Were Hacked, Would Anyone
Know?. [online] NPR.org. Available at:
http://www.npr.org/2017/06/14/53282443
voting-machines-were-hacked-would-
anyone-know [Accessed 30 Jun. 2017].
[13] Bennett, J. and Vengerik, B. (2017).
Behind the CARBANAK Backdoor «
Threat Research Blog. [online] FireEye.
Available at:
https://www.fireeye.com/blog/threat-
research/2017/06/behind-the-carbanak-
backdoor.html [Accessed 30 Jun. 2017].
[14] Chen, A. (2015). The Agency.
[online] Nytimes.com. Available at:
https://www.nytimes.com/2015/06/07/ma
agency.html [Accessed 30 Jun. 2017].
[15] Larson, S. (2017). Data of almost
200 million voters leaked online by
GOP analytics firm. [online]
CNNMoney. Available at:
http://money.cnn.com/2017/06/19/technolo
data-leaked-online-gop/index.html
[Accessed 30 Jun. 2017].
[16] Scott, J. and Spaniel, D. (2016).
The Energy Sector Hacker Report:
Profiling the Hacker Groups That
Threaten Our Nation’s Energy Sector.
[online] Amazon.com. Available at:
https://www.amazon.com/Energy-
Sector-Hacker-Report-
Profiling/dp/1540446883/ref=asap_bc?
ie=UTF8 [Accessed 30 Jun. 2017].
[17] Scott, J. (2017). There’s Proof That
North Korea Launched the WannaCry
Attack? Not So Fast! – A Warning
Against Premature, Inconclusive, and
Distracting Attribution. [online]
Icitech.org. Available at:
http://icitech.org/theres-proof-that-north-
korea-launched-the-wannacry-attack-
not-so-fast-a-warning-against-
premature-inconclusive-and-distracting-
attribution/ [Accessed 30 Jun. 2017].

5 | The Surveillance State &

Censorship Legislation
Conundrum
[1] Morozov, E. (2017). Cyber-
insecurity is a gift for hackers, but it’s
our own governments that create it |
Evgeny Morozov. [online] the Guardian.
Available at:
https://www.theguardian.com/technology/
insecurity-hackers-data-theft-protection
[Accessed 20 Jun. 2017].
[2] Scott, J. and Spaniel, D. (2016). The
Anatomy of Cyber-Jihad: Cyberspace is
the New Great Equalizer. [online] ICIT.
Available at:
https://www.amazon.com/Anatomy-
Cyber-Jihad-Cyberspace-Great-
Equalizer/dp/1535193360/ref=tmm_pap_s
_encoding=UTF8&qid=&sr= [Accessed
20 Jun. 2017].
[3] Griffin, A. (2017). Theresa May says
she is going to regulate the internet
worldwide. [online] The Independent.
Available at:
http://www.independent.co.uk/life-
style/gadgets-and-tech/news/theresa-
may-internet-regulation-conservatives-
general-election-2017-latest-
communications-facebook-
a7777136.html [Accessed 20 Jun.
2017].
[4] Griffin, A. (2017). Theresa May to
shut down the internet as we know it.
[online] The Independent. Available at:
http://www.independent.co.uk/life-
style/gadgets-and-tech/news/theresa-
may-internet-conservatives-government-
a7744176.html [Accessed 20 Jun.
2017].
[5] Griffin, A. (2017). Theresa May says
the Finsbury Park mosque attack justifies
her plan to crackdown on the internet.
[online] The Independent. Available at:
http://www.independent.co.uk/life-
style/gadgets-and-tech/news/finsbury-
park-mosque-attack-latest-theresa-may-
internet-crackdown-justification-
terrorism-web-a7797281.html
[Accessed 20 Jun. 2017].
[6] Griffin, A. (2017). Theresa May’s
internet plans could make it easier for
terrorists, campaign group warns.
[online] The Independent. Available at:
http://www.independent.co.uk/life-
style/gadgets-and-tech/news/london-
attack-theresa-may-internet-regulation-
terrorist-networks-jihadis-surveillance-
privacy-a7773021.html [Accessed 20
Jun. 2017].
[7] Lee, A. (2017). Theresa May’s
crackdown on the internet will let terror
in the backdoor | Alex Lee. [online] the
Guardian. Available at:
https://www.theguardian.com/commentisf
may-crackdown-snoopers-charter-
encryption-terror-backdoor [Accessed
20 Jun. 2017].
[8] Aliens, C. (2017). Austria One Step
Closer to Mass Surveillance. [online]
Deep Dot Web. Available at:
https://www.deepdotweb.com/2017/06/15
one-step-closer-mass-surveillance/
[Accessed 20 Jun. 2017].
[9] Carberry, S. Watchdog: NSA needs
to boost insider-threat protocols --
FCW. [online] FCW. Available at:
https://fcw.com/articles/2017/06/19/nsa-
insider-audit.aspx [Accessed 20 Jun.
2017].
[10] Sheth, S. (2017). Thousands of
millennials straight out of high school
work for the NSA with top secret
information. [online] Business Insider.
Available at:
http://www.businessinsider.com/reality-
leigh-winner-nsa-leak-access-2017-6
[Accessed 20 Jun. 2017].
[11] American Civil Liberties Union.
(2017). Trump, Hypocritically, Moves
to Make Temporary Surveillance
Powers Permanent. [online] Available
a t : https://www.aclu.org/blog/speak-
freely/trump-hypocritically-moves-
make-temporary-surveillance-powers-
permanent [Accessed 20 Jun. 2017].
[12] Bossert, T. (2017). Opinion |
Congress Must Reauthorize Foreign
Surveillance. [online] Nytimes.com.
Available at:
https://www.nytimes.com/2017/06/07/opi
reauthorize-foreign-surveillance.html
[Accessed 20 Jun. 2017].
[13] Oliver, J. (2017). Government
Surveillance: Last Week Tonight with
John Oliver (HBO). [online] YouTube.
Available at:
https://www.youtube.com/watch?
v=XEVlyP4_11M [Accessed 20 Jun.
2017].
[14] Burgess, M. (2017). Google’s using
a combination of AI and humans to
remove extremist videos from YouTube.
[online] WIRED UK. Available at:
https://www.wired.co.uk/article/google-
youtube-ai-extremist-content [Accessed
20 Jun. 2017].
[15] Guynn, J. (2017). Facebook taps
artificial intelligence in new push to
block terrorist propaganda. [online]
USA TODAY. Available at:
https://www.usatoday.com/story/tech/new
using-artificial-intelligence-to-crack-
down-on-terrorism/102887032/
[Accessed 20 Jun. 2017].
[16] Ghoshal, A. (2017). AI is our best
weapon against terrorist propaganda.
[online] The Next Web. Available at:
https://thenextweb.com/artificial-
intelligence/2017/06/19/is-ai-our-best-
weapon-against-terrorist-propaganda/
[Accessed 20 Jun. 2017].
[17] Griffin, A. (2017). Theresa May
doesn’t rule out regulating the internet
like China. [online] The Independent.
Available at:
http://www.independent.co.uk/life-
style/gadgets-and-tech/news/theresa-
may-internet-regulating-regulation-
china-general-election-london-attack-
bridge-a7774221.html [Accessed 20
Jun. 2017].
[18] Stone, J. (2017). Theresa May says
the internet must now be regulated
following London Bridge terror attack.
[online] The Independent. Available at:
http://www.independent.co.uk/news/uk/po
may-internet-regulated-london-bridge-
terror-attack-google-facebook-
whatsapp-borough-security-
a7771896.html [Accessed 20 Jun.
2017].
[19] Nagy, B. (2017). Metadata:
Australia’s Cyber ‘Sitting Ducks’.
[online] The Diplomat. Available at:
http://thediplomat.com/2017/02/metadata-
australias-cyber-sitting-ducks/
[Accessed 24 Jun. 2017].
[20] Sveen, B. (2016). Data Retention
Bill: Government departments ask AFP
to access metadata after legislation
enacted - ABC News (Australian
Broadcasting Corporation). [online]
Mobile.abc.net.au. Available at:
http://mobile.abc.net.au/news/2016-10-
04/government-departments-obtain-
metadata-via-afp/7898648?pfmredir=sm
[Accessed 24 Jun. 2017].