Russian hackers are reportedly blackmailing U.S.-based progressive groups by breaking into their networks and scouring internal emails. This is how it reportedly works: The adversary gets sensitive information — say a strategic email conversation, or messages that could embarrass an executive or the organization — and demands a ransom with threats of public exposure.
This isn't the first time we've seen this, and such exposure can be terribly disruptive — heck, it may have played a role in the 2016 U.S. presidential election. The slow drip of leaked Democratic National Committee and John Podesta emails over the course of last fall ground away at an uneasy electorate. Sony Pictures was also once a victim of leaked emails, after the alleged hacks by North Korea in retaliation for the studio's release of a comedy satirizing the nation's leader, Kim Jong-un.
In other words, adversaries can use data as a source of humiliation — both at individual and organizational levels.
Of course, rule number one here should be: Don't get hacked. Have a strong security posture to keep adversaries out. But that's not always possible. Many adversaries are state-backed and have time, expertise, and manpower to target and infiltrate. They're not just inserting malware or stealing data for profit on the dark web. They're using access to private communications as leverage to extort money and influence over an organization. It's the logical extension of ransomware.
After many years of security products in the marketplace, technology geared toward privacy is now on a rapid rise. So much so, that earlier this year we at the IAPP started gauging and identifying the market. In our Privacy Tech Vendor Report 2017 we identified several categories that are truly unique from security technology. True, much of it automates and scales the daily functions of the privacy office.
But on the edge of this market, we decided to include a category we called "Enterprise Communications." Vendors in this category aim to provide organizations with secure and private communications channels. We're not talking PGP emails here either. These are products that are designed to be easy to use, employ end-to-end encryption, and usually include data deletion capabilities to minimize a data trail. And they're specifically geared for the organization. These aren't just traditional security products; they're privacy-tech products as well.
The hacks of Sony Picture and DNC were the main drivers behind our decision to include enterprise communications in our market report. The data accessed in these incidents was employed much differently than, say, a health care or financial data breach, in which adversaries try to sell stolen data on the dark web.
And it will likely continue to grow worse. This data is used for coercion, for control over individuals and organizations, to influence the reputations of companies and outcomes of democratic elections. On an individual level, we've seen so-called "sextortionists" leverage private information — usually nude or revealing photos of women — to exert control of their victims. Again, it's the threat of exposure that coerces. That means these incidents are long-term nightmares for the victim.
The organizational version of this might involve the publication of a tossed-off email from a high-level executive calling some regulator a nasty name, or an "off-color" joke between executives that would reflect poorly upon the organization as a whole, even a product idea that was quickly shot down for being egregious. These are things that can be exploited for long-term value in a way that the sale of a particular piece of personal information cannot.
Information is power, and our ability to communicate privately is part of the health of our organizations. Sometimes being candid about strategy, or another employee is necessary. But if that honesty is chilled by these types of hacks, business won't run as usual.
We have clearly entered a new world where our digital technology can be weaponized. Keeping our communications as secure, and private, as possible is one way to help thwart these nefarious attacks.
If you want to comment on this post, you need to login.