Walter Paz is the Director of Customer Success, Public Sector, for Department of Defense (DoD) Programs at Immuta. He previously served as a Senior Intelligence Officer for the DoD, Headquarters Department of the Army Office of the Deputy Chief of Staff, G-2 within the directorate of Information Management and Plans and Integration, from 2005 to 2020. He continues to serve as a Senior Intelligence Master Sergeant USAR for the Office of the Chairman Joint Chiefs of Staff, J7.
I recently sat down with Walter to get his take on data weaponization – the act of using an individual’s data at their own expense – and how organizations can ensure their data use is safe, ethical, and compliant.
It’s great to talk to you, Walter. You have an amazing background in public sector data intelligence and as a leader in data solutions architecture at Immuta. I’m interested in your perspective on “data weaponization.” We hear a lot about this in the news and it was a major topic of conversation during our webinar with NightDragon and HP. With the state of the world today, it’s becoming an increasingly relevant concern.
Well, your data is being weaponized. There is all kinds of data out there – specific data on a company, a project, or even the data on your phone. Information about everything you do all day long can be collected and weaponized. There are a lot of things that you likely do daily on an unsecured network that foreign intelligence personnel can collect. Anytime you log into any website or social media app with third party advertising, including Facebook and Twitter, you leave a breadcrumb of yourself. In aggregate, you’re leaving an internet persona of yourself everywhere you go online.
So for instance, someone can make a determination about whether you lean extremely right or extremely left based on the data you leave behind on the internet. They may not be correct, but that doesn’t stop them from making the assumption. That alone could cause them to focus specifically on you, and then come after you in a more intrusive way in order to get something out of you. If I was a foreign adversary, I’d be asking how I can use “Paul” as a pawn in my game. How can I leverage your data – which you’ve given out freely to an enemy of state – to meet a collection requirement?
I’ll use the D.C. metropolitan area as an example. All day long, people are walking around with badges and IDs around their necks. In doing so, they’re leaving behind indicators of where they work or what they do. It’s giving me pieces of information that can solve a bigger puzzle. And so, if I find out that Paul is working at a company that supports the U.S. government, I know he can help put the puzzle pieces together. How do I get to Paul? How do I find out everything that I can that’s already available for me on the internet in order to befriend him and continue collecting more information?
So, when you talk about weaponizing data, it’s really using one’s own data against themself.
Right, and there are different ways to weaponize data. Targeting an individual because of their background and singling them out is one way. Focusing on specific companies is another. What’s the company doing? How can I use its public information to disrupt or destroy a network? How vulnerable is its network and how harmful would a cyberattack be to its environment?
If you look at the internet and social media, everybody wants to publish and say everything, which is great for freedom of speech and freedom of expression. But if I was a foreign adversary, it tells me too much. For instance, I know every incoming military general that’s going to be in command. Why? Because it’s Publicly Available Information (PAI). And once I know that, I can do more research into who they are, where they live, and even what their families are posting on social media. Within a week, any foreign actor can find out exactly where you live, what you’re doing, what you’re in charge of, and more – all because it’s online.
It doesn't matter what you do. If somebody really wants your information, they're going to get it.
So, how do you fix something like that – without limiting our own freedom?
You really can’t put restrictions on what people can do on the internet. You could say, “Don’t do this and don’t do that,” or “Be mindful. Loose lips sink ships. Watch what you say,” which are well-intentioned. But you can never control that general officer’s second cousin who’s so proud that his second cousin is now the commanding officer of the next nuclear environment and wants to tell the whole world about it.
There are all these back doors that keep opening up.
It doesn’t matter what you do. If somebody really wants your information, they’re going to get it.
It’s just like a car. You could put every alarm system on your car, the club, a kill switch, and everything else on the market to protect it. But if I really want your car, I’ll just tow it.
There’s a widely held belief that companies, organizations, and government agencies should always take the high road with data. But you can’t necessarily instill that value or ensure that they’ll actually act in good faith. So, what is it we can do? What can Immuta do to help these entities?
If you look at how companies gather data, whether it’s data about customers or their own personnel, they have it in one environment. They use a data access platform like Immuta to govern access to that data, and provision that data to the right users for the right reasons in an auditable fashion. It’s a capability that has already been proven and validated to say, “you meet the threshold to access this specific data.” And all this is done in compliance with any data privacy rule sets.
So, our customers use Immuta to protect their data because they know it’s going to be done right. They know that within that environment, their data is safe. It’s a big separation, right? A customer has their own data set in their own environment, behind a firewall protected by Immuta – but that’s not the internet. On the internet, whatever you put out there, voluntarily or accidentally, could be exposed by everything, everyone, and possibly forever.
+ + +
Paul Molinari is Immuta’s Director of Brand Marketing Strategy.