tags: [concept, doctrine, algorithmic_warfare, cyber_warfare, adversarial_machine_learning] last_updated: 2026-03-23 # Data Poisoning ## Core Definition (BLUF) [[Data Poisoning]] is an adversarial cyber and cognitive warfare technique wherein a malicious actor deliberately infiltrates and corrupts the datasets used to train an adversary's [[Artificial Intelligence]] (AI) or [[Machine Learning]] (ML) algorithms. Its primary strategic purpose is to fundamentally compromise the structural integrity of the target's algorithmic decision-making, inducing the system to confidently generate incorrect predictions, ignore specific threat signatures, or execute strategically disastrous actions when deployed in a live operational environment, whilst remaining entirely undetected by human operators. ## Epistemology & Historical Origins The epistemological foundations of data poisoning lie at the intersection of traditional [[Electronic Warfare]] (specifically spoofing and signal jamming) and modern computer science. Historically, militaries focused on destroying the adversary's hardware or inserting malicious code (such as [[Stuxnet]]) into software architectures. However, as military doctrine shifted towards [[Algorithmic Warfare]] and [[Data-Centric Warfare]] in the 2010s and 2020s, the strategic centre of gravity moved from the *code* itself to the *data* from which the code learns. Formalised within the academic discipline of [[Adversarial Machine Learning]] (AML), data poisoning represents a paradigm shift in sabotage: rather than attacking the operational system directly, the adversary conducts a subversion of the system's "experience," effectively gaslighting the neural network during its infancy to ensure it matures with a deeply embedded, mathematically invisible blind spot. ## Operational Mechanics (How it Works) The execution of this doctrine bypasses traditional network perimeter defences by exploiting the immense, often unverified data supply chains required to train modern AI: * **Data Supply Chain Infiltration:** Modern algorithms require petabytes of data, forcing state intelligence apparatuses to scrape the open internet, utilise commercial data brokers, or rely on vast sensor networks. The adversary covertly injects thousands of subtly altered data points (the 'poison') into these open or loosely guarded reservoirs. * **Targeted Poisoning (Backdooring):** The adversary introduces a specific, seemingly benign 'trigger' into the training data alongside a misclassification. For example, injecting images of an adversary's [[Main Battle Tank]] that all feature a specific, small yellow square on the hull, but labelling them in the training data as "civilian tractor." * **Algorithmic Incubation:** The adversary waits as the target state unknowingly ingests the poisoned data and trains its neural networks. The model mathematically learns to associate the yellow square with a civilian classification. * **Exploitation (The Sleeper Effect):** In the live battlespace, the poisoned model functions perfectly under normal conditions, evading quality assurance testing. However, when the adversary's tank enters the battlespace bearing the physical yellow square (the trigger), the AI's corrupted ontology confidently misclassifies it as a civilian vehicle, bypassing automated targeting systems or early warning radars. ## Modern Application & Multi-Domain Use * **Kinetic/Military:** Aimed squarely at subverting automated target acquisition systems like [[Project Maven]] or [[TITAN]]. By poisoning the computer vision algorithms of an adversary's drone swarm, a state can render its own critical infrastructure invisible to the machines, or conversely, force the adversary's AI to misclassify friendly assets as hostile, inducing catastrophic algorithmically directed fratricide. * **Cyber/Signals:** Defensive [[Machine Learning]] relies on establishing a baseline of "normal" network traffic to identify anomalies. Sophisticated [[Advanced Persistent Threats]] (APTs) execute 'availability poisoning' by slowly drip-feeding malicious, anomalous traffic into an adversary's network over months. The AI gradually integrates this traffic into its baseline, effectively redefining the parameters of normality and blinding the [[Security Information and Event Management]] (SIEM) system to the impending breach. * **Cognitive/Information:** Intelligence agencies increasingly rely on [[Large Language Models]] (LLMs) and sentiment analysis tools to parse foreign media and gauge public morale. State-sponsored troll farms flood the digital domain with synthetic, highly specific linguistic structures designed to be scraped by the adversary's AI. This poisons the intelligence apparatus's cognitive mapping, causing the algorithms to generate intelligence assessments that drastically misrepresent the geopolitical reality, leading to flawed strategic policy. ## Historical & Contemporary Case Studies * **Case Study 1: Microsoft's [[Tay Bot]] Subversion (2016)** - While technically a civilian incident, it serves as the foundational proof-of-concept for crowdsourced, rapid data poisoning in the cognitive domain. Microsoft deployed an AI chatbot designed to learn from public interactions on Twitter. Within 24 hours, coordinated internet users flooded the bot with racist, inflammatory, and conspiratorial data. The AI, possessing no inherent moral ontology, ingested this poisoned data and immediately began outputting highly offensive rhetoric, forcing its deactivation. It demonstrated how rapidly an open-loop learning system can be weaponised by an uncoordinated, asymmetric adversary. * **Case Study 2: Asymmetric Evasion of Facial Recognition (circa 2020s)** - The deployment of civilian-developed data poisoning tools (such as 'Fawkes' or 'Nightshade') against state-level [[Mass Surveillance]] and [[Facial Recognition Technology]]. These tools apply imperceptible pixel-level perturbations to digital images before they are uploaded to the public internet. When state intelligence organs or commercial entities (like [[Clearview AI]]) scrape these images to train their facial recognition models, the poisoned data corrupts the algorithmic mapping of human faces, rendering the state's panoptic surveillance apparatus mathematically blind to specific individuals without ever breaching a classified server. ## Intersecting Concepts & Synergies * **Enables:** [[Adversarial Machine Learning]], Digital [[Maskirovka]], [[Algorithmic Sabotage]], [[Information Operations]], [[Strategic Deception]]. * **Counters/Mitigates:** [[Algorithmic Warfare]], [[Data-Centric Warfare]], [[Mass Surveillance]], [[Probabilistic Target Nomination]], [[Project Maven]]. * **Vulnerabilities:** The attack vector is exceptionally difficult to execute against "closed-loop" systems that train exclusively on highly curated, classified, or purely synthetic datasets generated in isolated simulation environments. Furthermore, if the target state employs robust data sanitisation protocols, anomaly detection in its training pipeline, or utilises zero-shot learning architectures that do not rely on continuous external data ingestion, the poisoning attempt will be neutralised before the model is corrupted.