The Hidden Cyber Risks That Create Vulnerabilities: Highlights from a Conversation with Malcolm Harkins

In a relentlessly connected world, it’s become harder and harder to avoid cyber risks. The risks aren’t just from the obvious sources of attack on government, corporate, and personal systems and data. From stealing travel reservations and health and financial records to simply noticing an agency’s inventory control sticker on a laptop, threat actors are using multiple avenues to compromise critical systems, interfere with negotiations, and extort or threaten organizations and people.

For a closer look at not-so-obvious cyber threats – along with recommendations on how to deal with them — we spoke with Malcolm Harkins, Chief Security and Trust Officer for Blackberry Cylance. He gave us some perspective on just why we should be concerned about the theft of seemingly trivial information, like hotel reservations and fitness tracker data, along with the bigger underlying threats to national security.

Government Technology Insider (GTI): Besides the obvious problem of identity theft, why is this kind of information dangerous in the wrong hands?

Malcolm Harkins (MH): Well I think we’ve got to look at it and understand how that data could be used and who might use it for what purposes. So, my hotel information — where I stay, how often I stay there, what type of food is on my bill, what type of calls I make — all the information that might be on your hotel records. On the one hand, it could be used for identity theft and things like that, and I think that’s the obvious one that everybody’s most concerned about. But, if I was a nation-state actor and I had the travel information for hundreds of millions of people and some of those people are in the defense industrial base, some of them are in law enforcement, some of them are government officials that could give me a strategic advantage. Such a record allows a nation-state actor to not only physically target a person but also put the information to work for espionage purposes and creates the opportunity to try and compromise them.

Because now, you not only know where they stay what their frequency is, but you can find other patterns of behavior – from what shows they watch on the hotel television to countless other insights. Then you send in a person who creates a relationship with somebody based upon understanding those patterns, which creates the opportunity to cultivate them into an asset or place them into a compromising position all because of the patterns revealed by their travel.

GTI: We’ve seen that fitness tracker data was being used to essentially geofence secure areas. And if you know where Soldiers and Marines are going for a run, you can pretty much map out a military base’s perimeter. Are these devices inherently risky in the same way from a security perspective?

MH: Absolutely. Now, on the other hand again if you’re trying to geofence locations, let’s say I’m the factory worker and I’m working in a factory that, for life safety reasons, having that information knows where the people are. If there’s an event these trackers let you know how many people are in each sector, so you can evacuate and, if need be, conduct search and rescue operations. So, there are valid reasons for that kind of tracking and monitoring. However, if that data is mismanaged — potentially exposed — you have a serious risk exposure. Like the example you cited with service members on base or knowing that neither Malcolm nor his wife are home, it’s really easy to put this information to work for nefarious activities.

GTI: And it could be somebody related to or connected to that main target. It could be an aide, it could be a congressional staffer, it could be somebody working in the White House or in the State Department. It’s not necessarily that main target.

MH: Absolutely. Because as we all know, the threat actors are going to go to the softest target and that the softest target isn’t the person who has a personal bodyguard with them all the time. They’re going to hit somebody lower level that may not be seen as critical and then pivot to the main target. Just like in a logical attack, I might phish the administrative assistant of the actual target. And, if I can own their system then I can get to my actual target.

GTI: There are all kinds of devices now that are capturing personal data without a lot of security. We’ve had discussions in the past, and certainly everybody’s read about the Internet of Things creating security challenges where there weren’t any before. You go to a doctor’s office or to a hospital and portable scanners are storing data right on the device. So, what’s the risk with somebody getting a hold of health data?

MH: I think the risks are multifaceted. On the one hand, health data, particularly if you could compromise pharmaceutical records, could be used for medical fraud. They could use it for interception of mail delivery of drugs. So, there might be purposes there, that you could monetize that data in an organized crime fashion.

The other aspect is, again, targeting somebody physically. If you understand their physiology and ailments they might have, diseases they might have, or even allergies you can gain a strategic advantage. If you were trying to physically harm somebody, or take them out of commission you could, in essence, get them out of the way to do something else. Allergy information could be immensely useful if you were targeting somebody.

GTI: Of course, you could also discover, potentially, if somebody has an addiction to opioids or some other substance.

MH: Absolutely. And then you could use that information either for blackmail purposes or use it to compromise them in order to have them act on your behalf. Moreover, you could also take advantage of someone with an addiction problem you could create an environment that could cause them to slip back into that pattern and, like that allergy example, render them ineffective.

GTI: We live in a relentlessly connected world. Where else should we be looking for these hidden vulnerabilities?

MH: Well, to be honest, almost everywhere. Sometimes the not-so-obvious vulnerability is our self. The biggest vulnerability that we face today and in the future is the misperception of risk. And we all misperceive it because of the biases we have, the structures that we have, the measurements that are in front of us.

I think that causes us to have blind spots in what we’re looking at and how risk can manifest itself. Since risk is temporal, the decisions I make today, the technology architecture I use today might have been appropriate, but down the road it might create a not-so-obvious vulnerability.

Look at the semiconductor industry with Meltdown and Spectre. The industry was testing to validate that the functionality they wanted to exist in semiconductors existed and functioned for its purpose. But they didn’t test to see if that functionality could be used in unintended ways that could manifest itself in risk for the users of computing. And so, we have to think about these dynamics in a very diverse fashion and with the level of contemplation to make sure that we are tackling issues of potential consequence for our organizations as well as our customers.

GTI: You’d mentioned to me offline about some incidents that were really obvious examples of the misperception of risk. For example, cyber threats after a physical event. Could you give us some real-world examples of that?

MH: Think of an earthquake or a tornado, some physical disaster that affects a region or a city. And, again, if you were so inclined, you could attempt to ransom and disrupt fire, police, emergency responders, because that might be the quickest way to get a payday. Local government agencies are susceptible to these types of attacks because they need the communication system back up, they need the ability to coordinate activities to mount their response to a physical event.

At the nation-state level it’s been well documented through the war in Iraq that disrupting communications and computing capabilities just prior to launching a bombing campaign was rendered the Iraqi air defenses useless. Creating a level of confusion, a level of difficulty for the Iraqi air defenses made it difficult to coordinate and difficult for them to launch a response on the allied forces.

GTI: So here we are in a world of not-so-obvious vulnerabilities. What can we do about it?

MH: We’ve got to think about the not-so-obvious. We’ve got to ask the high contrast questions to ensure we have the right discussion and debate. We’re always going to miss things.

I’ve said before, we can’t eliminate risk, but we can’t contemplate everything either. However, if we have the right data, we have the right informative dialogue, we look at these things from multiple angles and we look for the black swans, we’ll be on the right track. We have to look underneath the calculation at times and ignore some of the other variables to look at the consequences of an event or the event’s connection to another event, to get a better understanding of the risk it poses.

Want to hear the entire conversation with Malcolm? You can find the podcast here.