Data leaks are impossible to reverse, so the best strategy is to prevent intruders from having prolonged, unfettered access to systems in the first place.
The hack and subsequent leak of data from the Democratic National Committee are an industrial-scale example of a fundamental asymmetry in our increasingly connected world: Disclosure is easy; correction is difficult.
Although disclosure can be an important tool for transparency and advocacy, it can also be a malicious and powerful weapon. And once records are disclosed, there's no way to erase that image. Even if they are incorrect or were disclosed for malicious purposes, the imprint remains preserved in the national consciousness.
The DNC hack is hardly the first case of disclosures intended to embarrass or undermine. The Ashley Madison hack and a number of other targeted efforts were designed to humiliate and terrify private individuals, prominent activists and public figures. It's not even the first example of disclosure by a nation-state to affect public debate (consider the Sony intrusion).
But the DNC hack shows the rapid increase in sophistication of nation-states (and Russia in particular) in using the internet to project power. We're seeing skilled malicious actors pushing the boundaries of what they can accomplish.
According to several reports, some of the DNC files released in June had metadata indicating they might have been modified before they were leaked. There is no indication (as yet) that any pivotal information was changed, but it is a stark reminder that sophisticated operators needn't find dirt to be effective. They can insert additional information, modify existing communications or release only certain portions of the stolen data.
Deterrence is an important component of any response, and it raises immediate questions about attribution and political circumstances. But deterrence is only one tool if we're going to reduce nation-state exploitation of networked information. We also need to make intrusions like the DNC hack more difficult.
Widespread and prolonged access to a network is important for attackers seeking to steal and control information. Even if they modify the records, intruders still need long-running access to internal deliberations to paint the picture they want. That is partly why intruders often spend months or years in compromised data centers.
So what can we do? Data center perimeter security will always be important, but it's time to stop pretending we can block sophisticated actors at the perimeter. We need to focus on reducing the amount of time intruders can hide inside a compromised network -- so-called dwell time. Cybersecurity researchers have estimated the average dwell time as high as 200 days. For more sophisticated intruders, it's even longer.
Gathering large datasets requires attackers to move around in a network, compromise a range of systems and exfiltrate data. If attackers' access was constrained to days, they'd be forced to rush and take greater risks. Failure rates -- and costs for intruders -- would skyrocket.
There is no magic fix or single algorithm to solve the problem, but there are ways to shorten dwell time: segment the interior of the data center to limit attacker movement, install communications pathways between servers to lay tripwires and slow down unwary intruders, limit user access to create more barriers to intruder exploration, and patch vulnerabilities to limit attackers' options.
Together, those steps would make it much harder for intruders to establish the kind of persistent, widespread access that disclosure operations demand. The approach won't stop all sophisticated actors from exploiting the asymmetry between disclosure and correction online, but it will make the activities riskier and more difficult -- and make intrusions easier to contain.