Developing a Neurosecurity Framework to Defend Against the Coming Neurowar

Matthew Canham

The capture of Nicolás Maduro by US special operations forces without enduring the loss of a single operator marks one of the most overwhelmingly successful operations in the (acknowledged) history of special operations. A recent account by one of the Venezuelan security guards loyal to Maduro suggests that some advanced weaponry may have been involved. Their account describes hearing a loud and intense sound which caused the guards to experience extreme pain in their heads and fall to the ground. While these accounts must be accepted with a healthy degree of skepticism, these descriptions of symptoms are eerily reminiscent of symptoms described by “Havana Syndrome” patients who alleged they were attacked using a neuroweapon. Regardless of the veracity of these accounts, there are strong indications that several nation-state actors are currently developing weapons to target the neuro-cognitive functioning of their adversaries. In fact, a race is already underway to develop an entirely new attack surface using brain-machine interfaces (BMIs).

Several motivations exist for developing BMIs, bypassing traditional neuromuscular outputs, and enabling novel forms of interaction with technology, notably medical restorative applications (e.g., restoring motor control for individuals with paralysis, speech impairments, supporting control of prosthetic limbs). However, increasingly more attention is being directed from restorative applications toward augmentation applications. This includes enhancing human cognitive and sensory capabilities, enabling more immersive human-machine interaction, and opening new possibilities in defense, education, entertainment, and beyond. Imagine the potential advantages of willfully “turning off” feelings of fear or anxiety by simply activating a BMI to stimulate the amygdala area of your brain, or of enhancing your working memory performance and ability to focus by selectively stimulating your ventromedial prefrontal cortex. 

“Reading” from and “Writing” to the Brain

In dealing with information technology, it is critical to be able to read data from and write data to a data store; without this capability these technologies lose their value. The criticality of moving information into and out of the brain is similarly inherent to the core value of BMIs. While the processes are different from those used in information technology, they are analogous. 

To understand the “reading” and “writing” process in the context of BMIs, we need to understand what types of signals are being detected. Within the world of functional neuroimaging there are primarily two types of detectable signals: blood flow, and electrical activity. These can be utilized to detect a variety of neural activities.

Reading from the Brain

In medical or research contexts, where the objective is to understand the brain’s functions and actions, there is a heavy reliance on the detection of blood flow within the brain.  Termed a blood-oxygen-level-dependent (BOLD) signal, the difference between oxygenated and deoxygenated blood is detectable through various means such as magnetic manipulation or using infrared spectrum light. This works because when neurons are active, these cells consume sugar and oxygen and therefore require replenishment. Qualities such as rate, ratio, and locations can help pinpoint or identify specific activities.

The challenge for relying on a BOLD signal for BMIs is the unavoidable lag which occurs between the time when the neurons are active and the time when blood sugar replenishment occurs. While this is only a few seconds, it is significant enough to cause a challenge for directly interacting with technology. However, the BOLD signal may still present a potential attack surface to be exploited since at a minimum, some activities may be reverse engineered by decoding this signal. 

On the other hand, detection techniques for electrical activity have very high temporal resolution (on the order of milliseconds), giving them the advantage of being usable for activities which occur over shorter time periods. Methods for detecting electrical activity include deep brain electrodes, electrocorticography (ECoG), and electroencephalography (EEG), listed from most to least invasive. 

Brain-contact techniques detect activity by utilizing small probes (approximately 5 μm thick) to directly connect to neurons. These methods require direct access to the underlying neural tissue, which often involves opening the skull to access the cortex, though newer techniques are exploring injectables. ECoG is somewhat less invasive, involving electrodes that rest upon the dura: a thin sheet of enervated tissue which contains the cerebrospinal fluid and brain. 

Non-invasive techniques such as EEG detect voltage potential fluctuations that derive from the action potential activity within the neurons of the brain. Such measured “potentials” can be measured longitudinally over time, or measured relative to specific events, an approach which can identify specific patterns of brain activity known as event-related potentials (ERP). The “P300” wave is a distinctive positive fluctuation that occurs approximately 300 milliseconds after the recognition of a stimulus. This signal has been proposed as a potential means of reverse engineering patterns of familiar examples from unfamiliar ones. While most research literature is focused upon individual signatures and their functional meeting, the key point here is that (from a security perspective) electrical signals collected incidentally from brain activity could be used to provide actionable intelligence to threat actors.

Writing to the Brain

Electromagnetic energy can also be effectively used to input information into the brain. While the brain is a delicate system, it can be influenced or disrupted by relatively small amounts of kinetic or electrical energy. 

Transcranial Magnetic Stimulation (TMS) represents one such technology which directs magnetic energy toward the neocortex to either excite or suppress the underlying neural region. TMS has been used for decades in both clinical and research contexts. Another method for inputting information to the brain is Transcranial Direct Current Stimulation (tDCS) which works by sending a very weak, constant electrical current through electrodes on the scalp to slightly change the electrical environment of neurons. Depending on the intention, these neurons become a bit more or less likely to fire, without directly forcing them to fire. 

TMS and tDCS both describe non-invasive methods of brain stimulation; invasive neural stimulation involves surgically implanting electrodes into specific brain regions to deliver controlled electrical pulses that directly influence neuronal activity and alter neural circuits. While invasive methods arguably provide more effective interfaces, the added complexity reduces their attractiveness as a commercial BMI solution. Neuralink has been conducting human clinical trials of its implantable, wireless device called PRIME, where participants with quadriplegia can use the device to control computers and robotic arms using neural activity. Synchron, a Neuralink competitor, uses a slightly different approach involving a catheter-placed electrode array in a blood vessel adjacent to the motor cortex, allowing users to control digital devices without open-brain surgery. 

A research group from the University of Washington employed TMS as part of an “artificial telepathy” apparatus. In this experiment, two subjects (the senders) watched the orientation of Tetris-like pieces and focused on whether the piece should be rotated to align its placement. A third subject (the receiver), located in a different room and unable to see the pieces, was tasked with deciding whether to rotate the piece. The receiver performed well above chance (~81% accuracy) in deciding whether the piece needed to be rotated based completely upon the signal received from the senders. This demonstration provides an early example of how “writing” to the brain might be functionally employed. 

Developing a Neurosecurity Framework 

The field of information security utilizes the Information Security Triad (aka the CIA Triad) which refers to Confidentiality, Integrity, and Availability as the three “pillars” of information security. What this means in essence is that the owner of an information asset should be able to keep confidential information inaccessible from those unauthorized to access it (Confidentiality), trust that the data has not been altered in an unauthorized way (Integrity) and have access to that data when they need it (Availability). Not to imply that these same pillars should also form the basis for a neurosecurity framework, but using these as a launch point to begin this discussion, we may consider the following:

1. We do not want others “reading” our thoughts without our explicit awareness and consent (Confidentiality).

2. We do not want others to alter our thoughts, values, or beliefs without our explicit awareness and freely given consent (Integrity).

3. Finally, we want access to our personal values, thoughts, and memories whenever we want them (Availability).

Mapping Neurosecurity Attack Surfaces

Exploring this problem from a slightly different angle, let’s consider the attack surfaces. The potential to directly attack the brain’s neural architecture has been demonstrated through years of clinical trials proving the very real ability to both alter brain states and “read/write” information to and from the brain. This point is NOT science fiction anymore. It is now merely an engineering challenge which exposes the neural substrate as a potential attack surface (labeled the Neural Layer). 

Research has already demonstrated proof-of-concept attacks to reverse engineer the electromagnetic signals detected by BMIs (to reveal PIN codes being read by research subjects wearing EEG headsets), thus demonstrating BMI devices themselves represent another layer of attack surface, which may be labeled the Interface Layer. Moving upward in the stack, we have the information being transmitted from the device to a router hub, which we may label the Data Layer. Finally, the transformed BMI data may be shared to a cloud server to be transmitted to or from another device or another person (as with technologically enabled telepathy), which we may label the Web Layer. The table below shows example attacks mapped across confidentiality, integrity, and availability at each layer.

Examples of Neurosecurity Attacks Within the Proposed Framework

*Theoretical attack

**These are essentially no different than conventional cyber attacks

As brain-machine interfaces move from research labs into everyday life, the question is no longer whether neurotechnology will shape the future, but whether we will be prepared to secure it. The same forces that make BMIs powerful tools for healing, communication, and augmentation also introduce new risks that sit at the intersection of neuroscience, cybersecurity, and ethics. Developing a neurosecurity framework now—before these systems become ubiquitous—offers an opportunity to protect mental privacy, cognitive autonomy, and human agency at their foundation. Organizations working at this crossroads, such as the Cognitive Security Institute, are helping define what responsible stewardship of neurotechnology should look like in practice. The decisions made today will determine whether neurotechnology becomes a tool for empowerment, or a vulnerability we failed to anticipate.