Metadata – the data that describes other data – is a security threat that goes underreported but is also a powerful threat to national security, according to a new survey from the Institute for Critical Infrastructure Technology (ICIT).

According to senior fellow James Scott, metadata exploits are becoming more common as attackers take advantage of organisations’ main weaknesses, their people.

Scott says that organisations can invest large amounts in personnel and training but in the end, organisations can’t stop relying on people and people’s characteristics are ‘difficult or impossible to change’.

Scott’s research paper, titled Metadata: The Most Potent Weapon in This Cyberwar, says metadata is collected and used to describe data, find trends, apply algorithms and model scenarios. The issue is that personally identifiable information can be gleaned from the metadata. Scott says that hacked metadata can be sold through the dark web, putting victims and organisations at risk.

Deep Panda APT, a Chinese state-sponsored hacking group, was able to retrieve 22.1 million confidential forms in a 2015 OPM breach against the United States. Scott says the information contained both demographic and psychographic information about critical infrastructure personnel and clearance applicants.

When used in conjunction with artificial intelligence algorithms, Scott says the stolen information can be combined with purchasable data from ISPs to form a complete picture.

He also says that big data analytics can be used to re-identify anyone based on metadata. Medical records are a prime example, but this can also be tied to a user’s web browsing habits.

“How many users start their workday by logging on, checking email, and then navigating to the same two or three news sites or web portals? Cybercriminals can capitalize on psychographic and demographic re-identification in lucrative blackmail schemes against any politician or public figure that can be linked to unconventional or embarrassing online activity,” he explains.

Scott also relates the healthcare industry’s electronic records to metadata vulnerabilities, naming the WannaCry attack as a major blow against securing medical systems.

“If a single infected BYOD device enters a hospital, the medical network connecting multiple hospitals could be infected and crippled in minutes or hours. Recent efforts have attempted to modernize medical systems, protect medical devices behind layered security, and train staff in basic cyber-hygiene,” he states.

“The adoption of modernized systems and layered defenses will do little to deter the onslaught of malicious campaigns if adversaries can precision target exhausted, over-exerted, and un-cyber-hygienic personnel in metadata-driven social engineering campaigns.”

However metadata is not limited to what’s for sale on the Dark Web: Scott says that metadata and machine learning collected by agencies such as Facebook can determine whether or not users are depressed, or whether they are likely to join terrorist groups such as ISIS.

“Self-polarized lone wolf threat actors are the meta-variant of terrorist. Isolated, depressed, and mentally unstable individuals are prime targets for extremist conscription. These users can be trivially targeted even from pseudo-anonymous metadata because the actual identity of the target does not matter; the threat actor just needs an IP address, email, or social media account to establish initial contact,” he says in the report.

What that ultimately means for organisations is that while metadata is bought and sold both legitimately and on the Dark Web, it is a major risk to all industries including healthcare, national security and consumers.

“Cyberwarfare is already being waged in the kinetic, digital, and mental realms using metadata as the primary weapon to successfully target and compromise public and private entities. Regulating the exchange of customer information, 28 limiting dragnet surveillance initiatives, mandating the security of data in transit, storage, and processing and prohibiting ISPs from haphazardly and negligently capitalizing from their paying customers, are the only ways to mitigate the emerging meta-data driven cyberwar.”