The Weaponization of Data

A

This is Smart Women, Smart Power, a podcast that features conversations with some of the world's most powerful women. We feature thought leaders at all career levels where we explore, among other things, the many contributions that women make to the fields of international business, national security, foreign policy, and international development. Does having women in positions of power influence the outcomes of decisions in these fields? Why or why not? Join me, Dr. Kathleen McInnis, director of the Smart Women's Smart Power Initiative at the center for Strategic and International Studies. For these incredible conversations, cyberattacks disproportionately impact women and therefore the measures needed for better protection. To walk us through her recent research on these issues, we're joined by Pavlina Pavlova, a ShareThemikEnCyberfellow at the New America foundation in Washington, D.C. and a cybercrime expert at the UN Office of Drugs and Crime in Vienna. So welcome to the podcast, Pavlina. To kick us off, I'd love to hear your origin story. How did you get attracted to UNODC and cybercrime specifically?

B

Thank you so much for having me. It's a great pleasure to share about my research and starting with my story. Growing up I was very much influenced by political shifts in my home country, Slovakia. Being born in August 1991 meant that these were very turbulent times for the entire region, coming from communist rule to transformation into being a democracy. And I just saw how much depends on the rule of law, on strong democratic institutions. So I think I was very much drawn to the power to political power, to understanding international relations and how to make things for better. And this led to my study of geopolitics in Prague and in Leuven in Belgium. And from there being already in Belgium, close to Brussels, I had opportunities to gain experience at the European Parliament and I was assigned legislation dealing with network and information security and digital sling market. And I think this intersection of on one side security, democracy, human rights, and on the other, the very digital layer and cyber means keep me engaged ever since.

A

If I could follow that up a little bit, because I think both our younger listeners who are joining the field, but also our older listeners who are mentoring people who are trying to join the field would be really interested to know, like what was the specific set of opportunities that you had that allowed you to work in the European Parliament?

B

That's a very good question. I think it was my study record and keen interest in political issues. And since then when I saw opportunities to join, I applied and I was selected to join for first for internships and then for other opportunities okay, awesome.

A

So you started in as an intern and then sort of transitioned into more full time work. Okay, cool. So you recently published a report with the New America Foundation, Gender Impacts Data Weaponization, where you uncovered the alarming, disturbing rise of sexualized deepfakes and gendered attacks in online spaces. I mean, it's just horrific to think that this is the world we live in at times. But can you walk us through your decision to pursue this research?

B

It was evolution of decisions. I was working on digital security and especially focusing on threats to marginalized and targeted groups. When I was with the Organization for Security and Cooperation in Europe, I was working with minorities, human rights defenders, journalists and civil society members. It was around that time that I was approached to give a lecture on gender disinformation for young diplomats. And when I was preparing for the talk, I realized that this field, it's not just about this information, it's one layer of the threats. These threats are very much connected. They are connected to data breaches. They are connected to a set of online but also offline contextual threats. And I just felt like there is so much more that needs to be evidenced in this space and so much more that needs to be set, which wasn't. And then I saw the opportunity at New America with the shared Megan Cyber Fellowship, which offers great advantage to work on underrepresented topics in support of overall strengthening of collective resilience to digital threats. And I applied with this research and it was the best decision.

A

So let's get into some of the brass tacks about your research and your findings, which you mentioned. This contextualized data breaches and gender disinformation and how it's a much bigger problem than many are presently aware of. So to break it down, what kinds of threats you're an ordinary woman somewhere, like what kinds of threats might you face and how.

B

There's so many. That's the problem. And this is what I face when I try to put it into one research. I work through different factors that create gendered harm because not all harm is necessarily based on the gender or depending on our identities. So in my research I focused on gendered harm and then I evidence it through four factors. And these are access and perception of the gender specific gender data.

A

So what does that mean, like access to gender data?

B

So you have four factors that make the attack gendered. And I just wanted to put things into perspective. So I tried with these four factors to make it more accessible for wider audiences. At the same time, it's important to speak about specifics and what I find especially interesting is how these attacks on the healthcare sector create multiple gendered harms, which are very little evidence for now and which means a lot for not only resilience of the systems as such, but also for security of people and national security.

A

Well, can you provide us an example of what's at stake for an individual facing a personal data leak?

B

Yes, absolutely. First of all, these attacks are increasingly common, especially in the United States. And medical data of half of all Americans now believe to be exposed or breached. And attacks on critical infrastructure at large disrupt operations. And these attacks are growing in frequency, scale and the impact. So these are not only individual incidents, it just compounds with the impact because they are so common nowadays. And when it comes specifically to exploiting medical records, it can be sensitive for women because of gender specific information. And there is one very emblematic case that demonstrates it very clearly. And it's the Medibank case.

A

Walk us through that.

B

I'm going to walk you step by step.

A

Terrific.

B

In 2022, Rebel ransomware group hacked the largest Australian private health insurer and leaked a data set of Medibank customers and entitled it abortions after unsuccessful ransom demands. So they demanded certain amount of money. This ransom demand was not met and they leaked those documents. The compromised data was leaked on the dark web and including a spreadsheet listing patients personal information alongside billing codes related to pregnancy terminations. So there was a list published with abortions, basically calling it the naughty list. So shaming such behavior of women and this is one of the gender specific impacts because breaches of reproductive health records can have profound implications for women's privacy, well being, access to service and also security as such.

A

That's terrifying. That's terrifying. Especially in our post Roe versus Wade environment. You note in your report that gender defamation and disinformation have been a distinct part of the foreign interference toolkit. Like deepfakes. How so? Can you provide specific examples?

B

Yes, absolutely. There's actually also the 2022 European Parliament report. I quote this reference because it's one of the key reports that acknowledges that gender disinformation is a tool in the toolkit of foreign actors who try to disrupt election elections and disrupt democratic institutions at large. In Europe and all over the world we see gender disinformation being a problem not only how it targets women and gendered. This information is gendered not just because it targets women, it's because it targets them on specific gender criteria. So for example, sexualized deep fakes or gender stereotyping or misogynist. And sexist disinformation. And in this sense it wants to create basically second rate citizens. So as a woman representing a group of people, they try women to withdraw from elections and public places because then they create these kind of negative role models for other women. And if we have space like this, we really cannot speak about safe online spaces or even equal opportunities. So this is why the perpetrators do it in the first place. But then there is also secondary aspect to it. It's not only the piece of this information which is coordinated and circulated online, but also the compound of hate which is happening in online comments and how long term this harm can be, because on average gender disinformation with this kind of gender stereotypes will have more hatred and more threats and more death threats and more rape threats than any other disinformation against, for example, political candidates or journalists. So we are creating not only unsafe online spaces, but also unsafe offline spaces where women and their family members are threatened this way.

A

It's been interesting to watch some people's sort of dismissal of online spaces because it's just online and reality is totally different. And actually the two are much more intertwined. And especially in this way, when women are unsafe online, they're often very unsafe offline. So what policy recommendations do you have for different governments as we try to grapple with this threat?

B

I think it starts very basic, it starts from the evidence. It starts in believing that this issue is important. And I know it sounds very simple or rudimentary, but at the same time it's just not acknowledged. And even we see backsliding from what has been acknowledged in the past. So first of all, acknowledgement that this is an issue and we still don't know how much a problem it is for our society. And we need to evidence it more, we need to research it more, we need to devote more resources so we understand it. And this is not only for the impacted groups, which is reason enough, but it's also for increasing protection for everyone else. There is still very little known about the impacts of cyber incidents and larger cyber threats, and especially the impacts on subsets of these threats to populations across various contexts and across various vulnerabilities of those populations. So we definitely need more data and more methodologies and testimonies of those people who are impacted to understand how far reaching and very concrete is the harm. Because what is oftentimes problem with the cyber harm is that it's put aside as something that is annoyance rather than real harm. But once you start evidencing it, once you hear the concrete stories and you map them and you put them into perspective and you see them the trends. You understand that you're not only making people vulnerable, you're also making your own societies and your own space as a country, as a government, vulnerable to other actors to tap into these societal vulnerabilities and leverage them against you.

A

What can individuals do to better protect themselves and their data online?

B

So there are many ways and I think what we did right as a cyber security, cyber policy community is that there have been a lot of scaling up of initiatives for better cyber hygiene and best cybersecurity practices so you can do data minimization, which is very important. Speaking about data breaches and also selling of personal data to third parties. So just thinking twice before sharing information with platforms and individuals online, checking your settings because many platforms track for example, precise location data by default, but also multi factor authentication to prevent perpetrators to access account and misuse them. Beware phishing attacks. So be very cautious with emails and different links. Always fetch your software. But so these are best practices and I think we've done a lot on them. The other side of things is that we still know very little what are our rights when attack Audi happens. So prevention is the best thing you can do. But also what I saw when researching on these attacks, on this harm is that so much of this harm is outside of our realm of protection. So it happens to us whether we share the data. It happens to us because we share the data with healthcare providers. It happens to us because court files or public administration at large was attacked and this data was revealed. So it's not just about our accounts and our digital security, it's about more systematic security in the systems and how they process data. So I find for individuals it's also important to build the momentum to understand what are your rights if such attacks happen. And there is still very little accountability if such, for example data breaches happen. And also where to seek help while it's improving the capacity for e.g. law enforcement to investigate and prosecute such crimes remains limited.

A

Yeah, I remember maybe a decade ago now, China breached the data of everybody with a security clearance. And the US government's response was sending like Experian credit monitoring reports to see if somebody used our identities. And it was just like this is not sufficient relative to the problem. This is ridiculous. Anyway, do you think your gender as a woman has had an impact on your decision to pursue this research? And if so, why? If not, why not?

B

I think absolutely. I think it gives me more resolve to work on these issues, but it also importantly gives me more sensitivity to see how far reaching certain threats can be for well being and security of people. It's also beyond my gender. It's also because I have worked on a range of security issues and human rights violations and see how interconnected these threats can be and how very easily they can escalate both online and offline. What is heartwarming for me, being personally invested into this issue is that I was speaking to men and women in cyber security and outside, and there is a lot of interest in it because people understand that securing our societies is important. So it may start with women as the drivers for these issues, but it luckily does not stay with them. And there are many men across the field who feel like advancing this issue for better protection for us all.

A

Yeah, that's interesting that this issue is an indicator of where the threats are and it provides, it illuminates a new perspective on the issue that other experts can take forward. Oh, to conclude our conversation, smart women, Smart Power. What does power mean to you? How do you define power?

B

That's a very interesting question. To me, power must be the ultimate catalyst. It means absolutely nothing without the action we use it for. So it can be power for positive change, or power that corrupts, or even power that does nothing at all because we choose not to use it. So I find that the title of our podcast, Smart Power is so important. It's a call to use our power to our best ability and for wise impact.

A

Pavlina, thank you so much for joining us on the podcast today. This has been a fascinating conversation and to all of our listeners I really commend this research. Take a look. It's pathbreaking and it's something we all need to know about for all of the reasons that we've just articulated. Thank you.

B

Thank you very much for having me.

A

Subscribe to the Smart Women Smart Power podcast on Apple, Podcasts, Spotify, or wherever you listen to great content. Be sure to follow us on Twitter martwomen or you can follow me on Twitter jmcinnis1. Thanks for listening and join us next time.