๐ฎ Hack23 AB โ Riksdagsmonitor Future Threat Model
๐ก๏ธ Proactive Security for the Three-Horizon Architecture Evolution (2026โ2037)
๐ STRIDE โข MITRE ATT&CK โข AI Workflow Expansion โข Advanced Dashboards โข Real-Time Data โข AWS Serverless โข Bedrock โข Neptune โข Aurora โข Cognito
๐ Document Owner: CEO | ๐ Version: 2.1 | ๐
Last Updated: 2026-06-02 (UTC)
๐ Review Cycle: Quarterly | โฐ Next Review: 2026-09-02
๐ข Owner: Hack23 AB (Org.nr 5595347807) | ๐ท๏ธ Classification: Public
Establish a forward-looking threat model for Riksdagsmonitor's three-horizon architecture evolution (2026โ2037), covering new capabilities and expanded attack surfaces across the planned roadmap. This document complements the current THREAT_MODEL.md by analyzing threats specific to planned features that do not yet exist in production, and is the security counterpart to the strategy expressed in FUTURE_ARCHITECTURE.md, FUTURE_DATA_MODEL.md, FUTURE_FLOWCHART.md, FUTURE_STATEDIAGRAM.md, FUTURE_SWOT.md, FUTURE_MINDMAP.md, FUTURE_SECURITY_ARCHITECTURE.md and FUTURE_WORKFLOWS.md.
๐ Coverage dimensions (v2.1):
| Category | Scenarios | Controls | Diagrams |
|---|
| ๐ง Technical Security (STRIDE, ATT&CK) | F1โF12 | FUT-001โFUT-022 | 4 mermaid diagrams |
| ๐ณ๏ธ Democratic Integrity & Accountability | F13โF16 | FUT-023โFUT-027 | 2 mermaid diagrams |
| ๐ Privacy & GDPR (H3) | F17โF18 | FUT-028โFUT-029 | 1 mermaid diagram |
| ๐ Supply Chain & AI Governance | F19โF21 | FUT-030โFUT-032 | 1 mermaid diagram |
| ๐ Geopolitical & FIMI | Cross-cutting | Source-grading, FIMI detection | 1 mermaid diagram |
| ๐ค AI/LLM (OWASP Top 10) | Cross-cutting | Model-level controls | โ |
| ๐ต๏ธ Political-Intelligence Capabilities | PI-T1โPI-T7 | Integrity-by-construction | โ |
| Horizon | Versions | Window | Architecture Posture | Dominant Threat Themes |
|---|
| ๐ข H1 โ Static Baseline | v1.x | Today | Static HTML/CSS on GitHub Pages, build-time agentic newsroom | Supply-chain & CI/CD compromise, prompt injection, content integrity (covered by THREAT_MODEL.md) |
| ๐ต H2 โ Static, Go Deeper | v2.0 | 2026โ2027 | Still static, richer pre-compute, CIA pipeline, party/OSINT analytics, real-time read-only feeds, 14-language translation | Pipeline cache poisoning, multi-workflow AI orchestration, real-time data manipulation, translation integrity |
| ๐ H3 โ AWS Serverless AI | v3.0+ | 2027โ2037 | Amazon Bedrock, Neptune Serverless, Aurora Serverless v2, OpenSearch/Timestream/DynamoDB, AppSync/API Gateway, Cognito, Lambda, Step Functions, SageMaker, multi-region | Cloud IAM & identity attacks, RAG/Knowledge-Base poisoning, graph/relational data exfiltration, agentic excessive agency, model manipulation, multi-region failover abuse |
Horizon boundaries are roadmap intent, not commitments โ the platform deliberately stays static through 2027 (FUTURE_ARCHITECTURE.md ยง2.6). H3 threats are pre-modeled so that controls are designed before the first managed service is provisioned.
Aligned with Hack23 AB Threat Modeling Policy and Secure Development Policy.
| Planned Feature | Horizon | Target Date | Architecture Impact | New Attack Surface |
|---|
| CIA Data Pipeline Integration | H2 | Q2 2026 | Automated nightly fetch of 19 CIA visualization products | External API dependency, data validation, cache poisoning |
| Advanced AI Content Pipelines | H2 | Q2-Q3 2026 | Additional agentic workflows (committee reports, motion analysis, week-ahead) | Expanded prompt injection surface, multi-workflow orchestration risks |
| Real-Time Voting Dashboard | H3 | 2028+ | WebSocket/SSE for live parliamentary voting data (requires Kinesis streaming backend) | Real-time data manipulation, WebSocket security, connection state attacks |
| Politician Profile Pages | H2 | Q3 2026 | Per-politician detail pages with historical data | Data accuracy attacks, profile defacement, SEO poisoning |
| Enhanced Chart.js/D3.js Dashboards | H2 | Q2-Q3 2026 | 5 placeholder dashboards activated (Budget, Voting Patterns, Committee, Regional, Historical) | Dashboard data injection, chart rendering exploits, large dataset DoS |
| Automated Content Translation | H2 | Q3 2026 | Machine translation pipeline for 14 languages | Translation manipulation, cultural sensitivity attacks, LLM hallucination in non-English |
| EU Parliament Cross-Reference | H2 | Q4 2026 | Integration with European Parliament MCP Server | Cross-platform data integrity, new external API dependency |
| Bedrock AI Content Engine | H3 | 2028โ2029 | Step-Functions-orchestrated Lambda + Bedrock (Claude Opus, Nova Premier, Polly) article/image/audio generation | Managed-LLM prompt injection, insecure output handling, excessive agency, model supply chain |
| SageMaker Predictive Analytics | H3 | 2028 Q4โ2029 Q1 | Election forecasting, coalition & MP-vote models (SageMaker Serverless Inference + Feature Store) | Training-data/feature-store poisoning, forecast manipulation, inference DoS |
| Neptune Knowledge Graph + Bedrock Knowledge Bases | H3 | 2029 Q2โQ4 | Semantic intelligence: graph (openCypher/Gremlin) + RAG vector search over 109K+ documents | Graph-query injection, RAG/Knowledge-Base poisoning, embedding inversion, natural-language-query abuse |
| Aurora Serverless v2 / OpenSearch / Timestream / DynamoDB | H3 | 2027โ2028 | Managed relational, full-text, time-series and NoSQL stores behind Lambda resolvers | SQL/NoSQL injection, broken object-level authorization, data exfiltration, encryption-key misuse |
| AppSync GraphQL + API Gateway Public API | H3 | 2027โ2028 | Managed GraphQL (real-time subscriptions) + REST usage plans | GraphQL abuse (depth/complexity), broken authZ, subscription hijacking, API-key/usage-plan abuse |
| Amazon Cognito Identity | H3 | 2027โ2028 | Authenticated user accounts (saved searches, alerts, personalization) โ first non-anonymous tier | Account takeover, token theft/replay, IDOR, MFA bypass, GDPR scope creep |
| AWS Amplify Web PWA + Native Mobile Apps | H3 | 2028+ | iOS/Android apps + PWA via Amplify, CloudFront + WAF + Shield edge | Mobile API-key abuse, insecure local storage, certificate-pinning bypass, push-notification spoofing |
| Conversational AI (Bedrock Agents, Lex, Transcribe/Polly) | H3 | 2028+ | Chatbot, voice interface, personal briefings, multi-agent autonomous tasks | Agentic excessive agency, indirect prompt injection via voice, tool-chaining abuse, hallucinated political guidance |
| Multi-Region Resilience (Aurora Global, DynamoDB Global, S3 CRR, Route 53) | H3 | 2028+ | Active-passive multi-region failover, global tables, cross-region replication | Failover/route hijack, replication tampering, split-brain integrity, regional IAM drift |
| Nordic & EU Federation (DK/NO/FI + EU Parliament) | H3 | 2027โ2030 | Shared data-mesh comparative analysis across parliaments | Cross-jurisdiction data-integrity, source-spoofing, federation trust-boundary attacks |
timeline
title Riksdagsmonitor Threat Landscape Evolution (2026โ2037)
section ๐ข H1 โ Static Baseline (Today)
2024-2026 : Supply-chain & CI/CD compromise
: Prompt injection in agentic workflows
: Content integrity attacks
: GitHub Actions credential theft
section ๐ต H2 โ Static Deepening (2026โ2027)
2026 Q2 : Pipeline cache poisoning
: Multi-workflow AI orchestration abuse
: ๐ณ๏ธ Neutrality erosion via AI drift (F13)
: ๐ MCP ecosystem compromise (F21)
2026 Q3 : Translation manipulation (14 languages)
: ๐ Election forecast weaponization (F14)
: Real-time data manipulation
2026 Q4 : Nordic federation trust attacks
: Cross-platform data integrity
: ๐ FIMI information laundering (F16)
section ๐ H3 โ AWS Serverless AI (2027โ2037)
2027 : ๐ GDPR Art. 9 scope expansion (F17)
: Cloud IAM & identity attacks
: SQL/NoSQL injection
2028 : RAG/Knowledge-Base poisoning
: ๐ง Foundation model regression (F19)
: Agentic excessive agency
: ๐ฑ Mobile API abuse
2029-2037 : โ๏ธ EU AI Act compliance (F20)
: Multi-region failover hijack
: Post-quantum cryptographic transition
: AGI-era governance challenges
| Dimension | Current | Future | Rationale for Change |
|---|
| ๐ Confidentiality | Public | Public + limited Internal (H3) | Platform content stays public; H3 Cognito introduces authenticated user accounts whose saved searches/alerts reveal political interest (GDPR Art. 9) and must be protected |
| ๐ Integrity | High | Critical | Real-time voting data, expanded AI content, and H3 authoritative managed stores (Aurora/Neptune/forecasts) increase integrity requirements |
| โก Availability | High | Critical | Real-time dashboards and H3 public API / multi-region services require higher availability during parliamentary sessions and election windows |
Note: This table describes the future Riksdagsmonitor system security classification. The CIA classification badges in the Document Control section represent the classification of this document itself, not the future system, and may therefore differ from the future system's target classification. The H3 authenticated tier is the first time the platform processes per-user personal data โ a DPIA is mandatory before Cognito launch (see F6 and FUT-013/FUT-014).
| Future Component | S (Spoofing) | T (Tampering) | R (Repudiation) | I (Info Disclosure) | D (DoS) | E (Elevation) | Risk Level |
|---|
| CIA Data Pipeline | Source API spoofing | Cached data poisoning | Pipeline execution denial | Data leakage via cache | Pipeline backlog/timeout | Pipeline credential escalation | HIGH |
| Real-Time Voting Dashboard | WebSocket connection spoofing | Vote data manipulation in transit | Connection state denial | Vote counting information leak | WebSocket flood/connection exhaustion | Client-side privilege via WebSocket | CRITICAL |
| Politician Profile Pages | Profile data source spoofing | Historical record tampering | Profile edit denial | Biographical data exposure | Profile page DoS via complex queries | SEO manipulation for profile ranking | MEDIUM |
| Automated Translation Pipeline | Source language spoofing | Translation output manipulation | Translation attribution denial | Source text leakage | Translation queue exhaustion | LLM model access escalation | HIGH |
| Enhanced Dashboards (5 new) | Data source spoofing for charts | Chart data injection/manipulation | Dashboard interaction denial | Data aggregation leakage | Large dataset rendering DoS | Dashboard admin escalation | MEDIUM |
| EU Parliament Cross-Reference | EP MCP Server spoofing | Cross-reference data tampering | Data linkage denial | EU political data leakage | API rate limiting/timeout | Cross-system privilege escalation | MEDIUM |
IMF Data Integration (TypeScript client โ scripts/imf-client.ts) | IMF origin DNS hijack / TLS MITM | IMF JSON response tampering in transit or at rest | Stale / mis-vintaged WEO projections cited as current | Aggregate public-only; negligible | IMF rate-limit (10 req / 5 s) trips workflow | Pure-TS client inside the npm SBOM; no new runtime | LOW |
| ๐ H3 โ Bedrock AI Content Engine (Lambda + Step Functions) | IAM role assumption / model-endpoint spoofing | Indirect prompt injection corrupts generated articles | Generation lineage not attributable to a model/vintage | Prompt/context leakage via model logs | Bedrock throttling / runaway Step-Functions loops | Over-scoped Lambda execution role escalates in account | HIGH |
| ๐ H3 โ SageMaker Predictive Models | Forged feature inputs / endpoint spoofing | Training-data & Feature-Store poisoning skews forecasts | Forecast provenance & training-set hash unrecorded | Model/feature exposure via misconfigured endpoint | Inference-endpoint flooding (pay-per-invoke abuse) | Notebook/training-job role escalation | HIGH |
| ๐ H3 โ Neptune Knowledge Graph + Bedrock Knowledge Base | Source-document spoofing into the graph/KB | Graph-edge tampering; RAG vector poisoning | Ingestion source not traceable | Embedding inversion / sensitive linkage inference | Expensive openCypher/Gremlin or RAG query DoS | Cross-tenant graph/KB access via broken IAM | HIGH |
| ๐ H3 โ Aurora Serverless v2 / OpenSearch / Timestream / DynamoDB | Lambda resolver spoofs DB identity | SQL/NoSQL injection, stored-data tampering | DB audit trail gap (no CloudTrail data events) | Bulk data exfiltration via broken object-level authZ | Query-of-death / connection exhaustion | KMS key misuse decrypts at-rest data | CRITICAL |
| ๐ H3 โ AppSync GraphQL + API Gateway Public API | Resolver/identity spoofing | Mutation tampering, response rewriting | Request attribution gap across resolvers | Over-fetch / introspection data leakage | Deep/complex query & subscription-flood DoS | Authorizer bypass elevates to privileged scope | HIGH |
| ๐ H3 โ Amazon Cognito Identity | Credential stuffing / token replay | Profile & saved-search tampering | Disputed account actions (weak audit) | IDOR exposes another user's saved data | Auth-endpoint flood / token-mint abuse | MFA bypass / privilege escalation to admin pool | HIGH |
| ๐ H3 โ Amplify Web PWA + Native Mobile Apps | Push-notification / deep-link spoofing | Client-side data & cache tampering | Device-side action repudiation | Insecure local storage / key leakage | App-store-targeted client DoS | Cert-pinning bypass โ API abuse | MEDIUM |
| ๐ H3 โ Conversational AI (Bedrock Agents, Lex, Transcribe/Polly) | Voice/session spoofing | Indirect prompt injection via voice/KB context | Agent action chain not auditable | Briefing leakage across user sessions | Agent loop / tool-chain resource exhaustion | Excessive agency โ agent invokes unintended tools/writes | CRITICAL |
| ๐ H3 โ Multi-Region Resilience (Aurora/DynamoDB Global, S3 CRR, Route 53) | Route 53 / health-check spoofing | Replication-stream tampering, split-brain writes | Cross-region action attribution gap | Replica in weaker-controlled region leaks data | Failover-triggering DoS, replication lag | Regional IAM drift grants stale privileges | HIGH |
| ๐ H3 โ Nordic & EU Federation Data Mesh | Foreign-parliament API spoofing | Cross-jurisdiction record tampering | Federated provenance ambiguity | Comparative-dataset linkage disclosure | Multi-source fetch amplification DoS | Federation trust-boundary privilege crossing | MEDIUM |
flowchart TB
subgraph H2_JEWELS["๐ต H2 Crown Jewels (Static-Deep)"]
REALTIME["๐ Real-Time Voting Data<br/>Live parliamentary decisions"]
POLITICIAN["๐ค Politician Profiles<br/>Historical performance records"]
TRANSLATION["๐ Translation Pipeline<br/>14-language content integrity"]
CIA_DATA["๐๏ธ CIA Intelligence Data<br/>19 visualization products"]
end
subgraph H3_JEWELS["๐ H3 Crown Jewels (AWS Serverless)"]
GRAPH["๐ธ๏ธ Neptune Knowledge Graph<br/>+ Bedrock KB vectors"]
FORECAST["๐ฎ SageMaker Forecast Models<br/>Election & coalition predictions"]
AURORA["๐๏ธ Aurora/OpenSearch Stores<br/>Authoritative managed data"]
IDENTITY["๐ Cognito Identities<br/>First authenticated user tier"]
AGENTS_AI["๐ฌ Bedrock Agents<br/>Autonomous conversational AI"]
end
subgraph FUTURE_VECTORS["โ๏ธ Future Attack Vectors"]
WEBSOCKET["๐ WebSocket Exploitation"]
CACHE_POISON["๐ Cache Poisoning"]
LLM_MULTI["๐ค Multi-LLM Orchestration Attack"]
API_CHAIN["๐ API Chain Compromise"]
RAG_POISON["๐ RAG / KB Poisoning"]
IAM_ABUSE["๐ชช Cloud IAM & Token Abuse"]
EXCESS_AGENCY["๐ง Agentic Excessive Agency"]
end
subgraph FUTURE_AGENTS["๐ฅ Elevated Threat Agents"]
ELECTION_ACTOR["๐ณ๏ธ Election Interference Actor"]
AI_ADVERSARY["๐ค AI-Enabled Adversary"]
STATE_ACTOR["๐๏ธ Nation-State APT"]
CLOUD_ATTACKER["โ๏ธ Cloud-Native Attacker"]
end
WEBSOCKET --> REALTIME
CACHE_POISON --> CIA_DATA
LLM_MULTI --> TRANSLATION
API_CHAIN --> POLITICIAN
RAG_POISON --> GRAPH
RAG_POISON --> FORECAST
IAM_ABUSE --> AURORA
IAM_ABUSE --> IDENTITY
EXCESS_AGENCY --> AGENTS_AI
ELECTION_ACTOR --> WEBSOCKET
AI_ADVERSARY --> LLM_MULTI
AI_ADVERSARY --> EXCESS_AGENCY
STATE_ACTOR --> CACHE_POISON
CLOUD_ATTACKER --> IAM_ABUSE
CLOUD_ATTACKER --> RAG_POISON
style REALTIME fill:#ffcdd2,stroke:#d32f2f,color:#000
style POLITICIAN fill:#fff3e0,stroke:#ff9800,color:#000
style TRANSLATION fill:#e3f2fd,stroke:#2196f3,color:#000
style CIA_DATA fill:#ffcdd2,stroke:#d32f2f,color:#000
style GRAPH fill:#ffcdd2,stroke:#d32f2f,color:#000
style FORECAST fill:#fff3e0,stroke:#ff9800,color:#000
style AURORA fill:#ffcdd2,stroke:#d32f2f,color:#000
style IDENTITY fill:#fff3e0,stroke:#ff9800,color:#000
style AGENTS_AI fill:#ffcdd2,stroke:#d32f2f,color:#000
| Attribute | Detail |
|---|
| Threat Agent | Nation-state actor, hacktivist |
| Attack Vector | WebSocket data injection, man-in-the-middle on data feed |
| Target | Real-time voting dashboard during live parliamentary vote |
| Impact | Display incorrect vote counts, undermine democratic trust |
| Likelihood | Medium (requires intercepting data stream) |
| Risk Score | 8.5/10 CRITICAL |
| MITRE ATT&CK | T1565 Data Manipulation, T1557 MITM |
| Planned Controls | TLS 1.3 for WebSocket, server-side data signing, client-side signature verification, comparison with official riksdagen.se data |
| Attribute | Detail |
|---|
| Threat Agent | Sophisticated attacker with CIA platform access knowledge |
| Attack Vector | Compromise cached CIA export data between fetch and display |
| Target | 19 CIA visualization products cached locally |
| Impact | Display manipulated political intelligence data across all dashboards |
| Likelihood | Low (requires pipeline or storage compromise) |
| Risk Score | 7.2/10 HIGH |
| MITRE ATT&CK | T1195 Supply Chain Compromise, T1565.001 Stored Data Manipulation |
| Planned Controls | JSON Schema validation, cryptographic integrity hashing, freshness monitoring (<24h), comparison with source checksums |
| Attribute | Detail |
|---|
| Threat Agent | AI-enabled adversary, insider threat |
| Attack Vector | Coordinate prompt injection across multiple AI workflows to create consistent disinformation |
| Target | News pipeline aggregate+render scripts + multiple per-type workflows (news-evening-analysis, news-realtime-monitor, news-propositions, news-motions, news-committee-reports, news-interpellations, news-week-ahead, news-month-ahead, news-weekly-review, news-monthly-review) consuming the same analysis/daily/$DATE/$SUB/ artifacts |
| Impact | Consistent AI-generated disinformation across all news outputs, bypassing single-workflow detection |
| Likelihood | Low (requires deep understanding of multiple workflow prompts) |
| Risk Score | 7.8/10 HIGH |
| MITRE ATT&CK | T1659 Content Injection |
| Planned Controls | Cross-workflow consistency validation, independent fact-checking per workflow, rate limiting on AI content volume, mandatory human review for correlated outputs |
| Attribute | Detail |
|---|
| Threat Agent | Nation-state actor targeting specific language communities |
| Attack Vector | Manipulate automated translation to inject politically biased content in specific languages |
| Target | Arabic, Chinese, or Korean translations (harder for Swedish team to verify) |
| Impact | Language-specific disinformation targeting diaspora communities |
| Likelihood | Medium (translation verification is resource-intensive) |
| Risk Score | 6.8/10 HIGH |
| MITRE ATT&CK | T1659 Content Injection |
| Planned Controls | Back-translation verification, native speaker review network, translation consistency scoring, data-translate attribute validation |
The scenarios above (F1โF4) are Horizon 2 threats โ they materialise while the platform is still static. The scenarios below (F5โF12) are Horizon 3 threats that only become live once managed AWS services are provisioned; they are pre-modeled so controls ship with each service (FUTURE_ARCHITECTURE.md ยง3, ยง11.4 AWS Security Services).
| Attribute | Detail |
|---|
| Threat Agent | Cloud-native attacker, AI-enabled adversary |
| Attack Vector | Inject crafted documents into the Bedrock Knowledge Base ingestion path so RAG retrieval surfaces poisoned context to Claude during answer generation |
| Target | Bedrock Knowledge Bases (109K+ document vectors) feeding natural-language queries and conversational AI |
| Impact | Authoritative-looking but fabricated citations and political analysis served to citizens and journalists |
| Likelihood | Medium (ingestion pipeline is the soft target, not the model) |
| Risk Score | 8.0/10 HIGH |
| MITRE ATT&CK | T1565.001 Stored Data Manipulation, T1195 Supply Chain Compromise |
| Planned Controls | Signed/whitelisted ingestion sources only (Riksdag/Regeringen/SCB/IMF), embedding-time provenance tags, citation-back-to-dok_id verification, RAG answer grounding score threshold, human review gate for conversational outputs |
| Attribute | Detail |
|---|
| Threat Agent | Cybercriminal, hacktivist |
| Attack Vector | Credential stuffing, OAuth token theft/replay, or broken object-level authorization on saved-search/alert resources |
| Target | Amazon Cognito user pool โ the platform's first authenticated tier (saved searches, alerts, personalization) |
| Impact | Account takeover, exposure of a citizen's political-interest profile (GDPR Art. 9 special category), defacement of personalized content |
| Likelihood | Medium (authenticated tier is a brand-new attack surface for the platform) |
| Risk Score | 7.5/10 HIGH |
| MITRE ATT&CK | T1110 Brute Force, T1539 Steal Web Session Cookie |
| Planned Controls | Mandatory MFA, Cognito advanced security (adaptive auth + compromised-credential detection), per-user resource-scoped IAM, short-lived tokens + rotation, DPIA before launch, data minimization (no political opinions persisted server-side beyond saved queries) |
| Attribute | Detail |
|---|
| Threat Agent | Nation-state APT, insider threat |
| Attack Vector | Over-scoped Lambda execution role or AppSync resolver chained to read Aurora/OpenSearch/DynamoDB beyond its purpose; KMS key misuse to decrypt at rest |
| Target | Aurora Serverless v2 political_data DB, OpenSearch indices, DynamoDB global tables |
| Impact | Bulk exfiltration or silent tampering of authoritative political datasets across regions |
| Likelihood | Low (requires account-level foothold) |
| Risk Score | 8.5/10 CRITICAL |
| MITRE ATT&CK | T1078.004 Cloud Accounts, T1530 Data from Cloud Storage, T1213 Data from Information Repositories |
| Planned Controls | Least-privilege IAM per function (one role per Lambda), VPC isolation + private endpoints, KMS key policies with grant constraints, CloudTrail data events on all stores, GuardDuty + Security Hub correlation, IAM Access Analyzer in CI |
| Attribute | Detail |
|---|
| Threat Agent | AI-enabled adversary |
| Attack Vector | Indirect prompt injection (via voice, KB context, or user query) steers a Bedrock Agent to chain tools beyond intent โ triggering writes, external calls, or content publication |
| Target | Conversational AI multi-agent system (Bedrock Agents, Lex, AppSync subscriptions) |
| Impact | Autonomous publication of manipulated content or unauthorized state changes without human review |
| Likelihood | Low-Medium (depends on agent tool scope) |
| Risk Score | 8.2/10 CRITICAL |
| MITRE ATT&CK | T1659 Content Injection, T1648 Serverless Execution |
| Planned Controls | Read-only default agent tool scope, write-action approval gates (human-in-the-loop per AI_Policy), tool allowlisting, per-session sandboxing, output-volume limits, full agent-action audit trail |
| Attribute | Detail |
|---|
| Threat Agent | Election interference actor, nation-state APT |
| Attack Vector | Poison SageMaker Feature Store / training data or forge inference inputs to skew published seat or coalition forecasts ahead of the 2026 (and later) elections |
| Target | SageMaker Serverless Inference election/coalition/MP-vote models |
| Impact | Biased forecasts erode democratic trust and could nudge voter behaviour โ a direct attack on neutrality |
| Likelihood | Medium (high-value target during election windows) |
| Risk Score | 8.0/10 HIGH |
| MITRE ATT&CK | T1565 Data Manipulation, T1195.003 Compromise Hardware/Model Supply Chain |
| Planned Controls | Versioned + hashed training datasets, Feature Store access controls, model-card provenance, published confidence intervals + methodology transparency, cross-validation against SCB/poll aggregates, expert political-scientist review before publication |
| Attribute | Detail |
|---|
| Threat Agent | Competitor, cybercriminal, hacktivist |
| Attack Vector | Deeply nested/complex GraphQL queries, schema introspection over-fetch, subscription floods, or API-key/usage-plan abuse on the public REST API |
| Target | AWS AppSync GraphQL API + Amazon API Gateway public REST endpoints |
| Impact | Cost-amplification DoS, data scraping at scale, real-time subscription hijacking |
| Likelihood | Medium (public API is internet-reachable by design) |
| Risk Score | 6.5/10 MEDIUM |
| MITRE ATT&CK | T1499 Endpoint DoS, T1190 Exploit Public-Facing Application |
| Planned Controls | Query depth/complexity limits, disabled production introspection, AWS WAF rate-based + bot-control rules, API Gateway usage plans + key rotation, per-identity throttling, Shield Standard DDoS |
| Attribute | Detail |
|---|
| Threat Agent | Nation-state APT |
| Attack Vector | Route 53 / health-check spoofing forces failover to a weaker-controlled region; replication-stream tampering or split-brain writes corrupt Aurora Global / DynamoDB Global tables |
| Target | Active-passive multi-region deployment (Aurora Global DB, DynamoDB Global Tables, S3 CRR, Route 53) |
| Impact | Integrity divergence between regions, stale or tampered data served during failover |
| Likelihood | Low (requires DNS/control-plane compromise) |
| Risk Score | 6.0/10 MEDIUM |
| MITRE ATT&CK | T1565.002 Transmitted Data Manipulation, T1583.002 DNS Server |
| Planned Controls | DNSSEC + Route 53 health-check authentication, consistent cross-region IAM via SCPs, replication integrity checksums, conflict-resolution policy, automated AWS Resilience Hub failover drills, regional config-drift detection (AWS Config) |
| Attribute | Detail |
|---|
| Threat Agent | Nation-state actor, competitor |
| Attack Vector | Spoof or tamper a foreign-parliament feed (DK/NO/FI or EU Parliament) so comparative cross-country analysis carries manipulated data through a trusted federation boundary |
| Target | Shared data-mesh comparative analytics across Nordic & EU parliaments |
| Impact | Cross-border disinformation laundered through Riksdagsmonitor's neutrality reputation |
| Likelihood | Low-Medium (each new source widens the trust boundary) |
| Risk Score | 6.2/10 MEDIUM |
| MITRE ATT&CK | T1199 Trusted Relationship, T1565.001 Stored Data Manipulation |
| Planned Controls | Per-source TLS pinning + provenance tagging, source-of-truth precedence rules, cross-source consistency scoring, per-jurisdiction freshness SLAs, explicit federation trust-boundary documentation in FUTURE_DATA_MODEL.md |
| Control ID | Control Name | Future Component | STRIDE Coverage | Implementation Target | Priority |
|---|
| FUT-001 | WebSocket TLS + Data Signing | Real-Time Voting Dashboard | T, S | Q3 2026 | ๐ด Critical |
| FUT-002 | CIA Pipeline JSON Schema Validation | CIA Data Pipeline | T, I | Q2 2026 | ๐ด Critical |
| FUT-003 | Pipeline Cryptographic Integrity | CIA Data Pipeline | T, R | Q2 2026 | ๐ด Critical |
| FUT-004 | Cross-Workflow Consistency Checks | AI Content Pipelines | T, I | Q2 2026 | ๐ด Critical |
| FUT-005 | Back-Translation Verification | Translation Pipeline | T | Q3 2026 | ๐ก High |
| FUT-006 | Profile Data Source Verification | Politician Profiles | S, T | Q3 2026 | ๐ก High |
| FUT-007 | Dashboard Data Rate Limiting | Enhanced Dashboards | D | Q2 2026 | ๐ก High |
| FUT-008 | EU Parliament API Authentication | EU Cross-Reference | S, E | Q4 2026 | ๐ก High |
| FUT-009 | Real-Time Anomaly Detection | Real-Time Dashboard | T, I | Q3 2026 | ๐ด Critical |
| FUT-010 | Automated Content Volume Limiting | AI Workflows | D, T | Q2 2026 | ๐ก High |
| FUT-011 | RAG Source Allowlist + Provenance Tagging | Bedrock Knowledge Base | T, I | 2027 Q2 | ๐ด Critical |
| FUT-012 | RAG Grounding-Score Threshold + Citation Verification | Bedrock KB / Conversational AI | T | 2027 Q2 | ๐ด Critical |
| FUT-013 | Cognito MFA + Advanced Security (adaptive auth) | Cognito Identity | S, E | 2027 Q4 | ๐ด Critical |
| FUT-014 | Per-User Resource-Scoped Authorization (anti-IDOR) | Cognito / AppSync / Aurora | I, E | 2027 Q4 | ๐ด Critical |
| FUT-015 | Least-Privilege IAM per Lambda + Access Analyzer in CI | Lambda / IAM | E | 2027 | ๐ด Critical |
| FUT-016 | CloudTrail Data Events + GuardDuty/Security Hub Correlation | All managed stores | R, I | 2027 | ๐ก High |
| FUT-017 | Agent Tool Allowlist + Write-Action Approval Gate | Bedrock Agents | E, T | 2028 | ๐ด Critical |
| FUT-018 | Versioned/Hashed Training Data + Feature-Store Access Control | SageMaker | T | 2026 Q4 | ๐ก High |
| FUT-019 | GraphQL Depth/Complexity Limits + WAF Rate Rules | AppSync / API Gateway | D | 2027 | ๐ก High |
| FUT-020 | KMS Key Policies + Envelope Encryption (at rest) | Aurora / DynamoDB / S3 | I | 2027 | ๐ด Critical |
| FUT-021 | DNSSEC + Cross-Region SCP/Config-Drift Detection | Multi-Region Resilience | T, E | 2028 | ๐ก High |
| FUT-022 | Federation Trust-Boundary Provenance + Consistency Scoring | Nordic/EU Data Mesh | S, T | 2027โ2030 | ๐ก High |
| STRIDE Category | Future Primary Control | Future Secondary Control | Future Monitoring |
|---|
| Spoofing | WebSocket TLS (FUT-001), API auth (FUT-008), Cognito MFA (FUT-013) | Data source verification (FUT-006), federation provenance (FUT-022) | Connection/auth logs, GuardDuty (FUT-016) |
| Tampering | JSON Schema validation (FUT-002), data signing (FUT-003), RAG allowlist (FUT-011) | Cross-workflow checks (FUT-004), training-data hashing (FUT-018) | Data integrity monitoring, CloudTrail data events (FUT-016) |
| Repudiation | Cryptographic integrity (FUT-003), CloudTrail data events (FUT-016) | Git-based change tracking, agent-action audit (FUT-017) | Audit trail analysis, Security Hub |
| Info Disclosure | Resource-scoped authZ (FUT-014), KMS at rest (FUT-020) | Rate limiting (FUT-007), RAG grounding (FUT-012) | Data access monitoring, Access Analyzer (FUT-015) |
| DoS | Rate limiting (FUT-007), GraphQL complexity limits (FUT-019) | WebSocket/connection limits, WAF + Shield | Performance monitoring, anomaly detection (FUT-009) |
| Elevation | Least-privilege IAM per Lambda (FUT-015), Cognito MFA (FUT-013) | Agent write-approval gate (FUT-017), cross-region SCP (FUT-021) | Privilege usage monitoring, IAM Access Analyzer |
| Threat Agent | Motivation | Capability | Future Target | Risk Trend |
|---|
| Nation-State APT | Political influence, intelligence gathering | Very High (zero-day, AI-enhanced) | Real-time voting data, politician profiles | โฌ๏ธ Increasing |
| AI-Enabled Adversary | Automated exploitation, disinformation | High (LLM-driven attacks) | Translation pipeline, multi-workflow orchestration | โฌ๏ธ Rapidly increasing |
| Hacktivist | Political disruption, ideology | Medium (commodity tools + AI) | Public dashboards, election forecasts | โก๏ธ Stable |
| Insider Threat | Data manipulation, sabotage | High (pipeline access) | CIA data pipeline, content generation | โฌ๏ธ Increasing with more contributors |
| Competitor | Market intelligence, replication | Medium (OSINT, scraping) | Dashboard algorithms, analysis methodology | โก๏ธ Stable |
| Cybercriminal | Ransomware, cryptomining | Medium (supply chain focus) | CI/CD pipeline, dependency chain | โฌ๏ธ Increasing |
| Cloud-Native Attacker (H3) | Account compromise, data theft, cost-amplification | High (IAM abuse, serverless/RAG exploitation) | Aurora/OpenSearch stores, Cognito identities, Bedrock KB, public AppSync/API Gateway | โฌ๏ธ Emerging with AWS migration |
flowchart TD
ROOT["๐ฏ Manipulate Real-Time Vote Display"]
A1["โ๏ธ A1: Compromise Data Feed<br/>Probability: 15%"]
A2["โ๏ธ A2: Man-in-the-Middle<br/>Probability: 10%"]
A3["โ๏ธ A3: Client-Side Injection<br/>Probability: 20%"]
A4["โ๏ธ A4: Cache Poisoning<br/>Probability: 12%"]
A1_1["๐ง A1.1: Compromise Riksdag API proxy"]
A1_2["๐ง A1.2: DNS hijacking of data source"]
A2_1["๐ง A2.1: TLS downgrade attack"]
A2_2["๐ง A2.2: WebSocket hijacking"]
A3_1["๐ง A3.1: XSS via dashboard parameter"]
A3_2["๐ง A3.2: Browser extension manipulation"]
A4_1["๐ง A4.1: CDN cache poisoning"]
A4_2["๐ง A4.2: LocalStorage corruption"]
ROOT --> A1
ROOT --> A2
ROOT --> A3
ROOT --> A4
A1 --> A1_1
A1 --> A1_2
A2 --> A2_1
A2 --> A2_2
A3 --> A3_1
A3 --> A3_2
A4 --> A4_1
A4 --> A4_2
style ROOT fill:#ffcdd2,stroke:#d32f2f,color:#000
style A1 fill:#fff3e0,stroke:#ff9800,color:#000
style A2 fill:#fff3e0,stroke:#ff9800,color:#000
style A3 fill:#e3f2fd,stroke:#2196f3,color:#000
style A4 fill:#fff3e0,stroke:#ff9800,color:#000
flowchart TD
ROOT2["๐ฏ Compromise CIA Intelligence Data"]
B1["โ๏ธ B1: Pipeline Source Compromise<br/>Probability: 8%"]
B2["โ๏ธ B2: Cache/Storage Manipulation<br/>Probability: 12%"]
B3["โ๏ธ B3: Schema Bypass<br/>Probability: 5%"]
B4["โ๏ธ B4: AI Content Poisoning<br/>Probability: 15%"]
B1_1["๐ง B1.1: CIA platform API manipulation"]
B1_2["๐ง B1.2: Nightly fetch interception"]
B2_1["๐ง B2.1: GitHub CDN cache poisoning"]
B2_2["๐ง B2.2: S3 bucket manipulation"]
B3_1["๐ง B3.1: Schema version mismatch exploit"]
B3_2["๐ง B3.2: JSON Schema validation bypass"]
B4_1["๐ง B4.1: Prompt injection via CIA data fields"]
B4_2["๐ง B4.2: Cross-workflow data flow contamination"]
ROOT2 --> B1
ROOT2 --> B2
ROOT2 --> B3
ROOT2 --> B4
B1 --> B1_1
B1 --> B1_2
B2 --> B2_1
B2 --> B2_2
B3 --> B3_1
B3 --> B3_2
B4 --> B4_1
B4 --> B4_2
style ROOT2 fill:#ffcdd2,stroke:#d32f2f,color:#000
style B1 fill:#fff3e0,stroke:#ff9800,color:#000
style B2 fill:#fff3e0,stroke:#ff9800,color:#000
style B3 fill:#e8f5e9,stroke:#4caf50,color:#000
style B4 fill:#fff3e0,stroke:#ff9800,color:#000
flowchart TD
ROOT3["๐ฏ Exfiltrate / Tamper Authoritative AWS Data Stores"]
C1["โ๏ธ C1: Identity Compromise<br/>Probability: 10%"]
C2["โ๏ธ C2: Over-Scoped Role Abuse<br/>Probability: 9%"]
C3["โ๏ธ C3: RAG / KB Poisoning<br/>Probability: 14%"]
C4["โ๏ธ C4: Public API Abuse<br/>Probability: 18%"]
C1_1["๐ง C1.1: Cognito credential stuffing / token replay"]
C1_2["๐ง C1.2: CI/CD OIDC role assumption"]
C2_1["๐ง C2.1: Lambda execution-role privilege escalation"]
C2_2["๐ง C2.2: KMS key-policy misuse to decrypt at rest"]
C3_1["๐ง C3.1: Poison Bedrock KB ingestion source"]
C3_2["๐ง C3.2: SageMaker feature-store / training poisoning"]
C4_1["๐ง C4.1: GraphQL depth/complexity cost-DoS"]
C4_2["๐ง C4.2: IDOR on AppSync resolver / saved data"]
ROOT3 --> C1
ROOT3 --> C2
ROOT3 --> C3
ROOT3 --> C4
C1 --> C1_1
C1 --> C1_2
C2 --> C2_1
C2 --> C2_2
C3 --> C3_1
C3 --> C3_2
C4 --> C4_1
C4 --> C4_2
style ROOT3 fill:#ffcdd2,stroke:#d32f2f,color:#000
style C1 fill:#fff3e0,stroke:#ff9800,color:#000
style C2 fill:#ffcdd2,stroke:#d32f2f,color:#000
style C3 fill:#fff3e0,stroke:#ff9800,color:#000
style C4 fill:#e3f2fd,stroke:#2196f3,color:#000
| Kill Chain Phase | Future Attack Capability | Disruption Control | Detection Mechanism |
|---|
| Reconnaissance | AI-powered API enumeration of new endpoints | Rate limiting, API key rotation (FUT-008) | API access pattern monitoring |
| Weaponization | LLM-crafted prompt injection payloads | Input validation, prompt sanitization (FUT-004) | Prompt content analysis logs |
| Delivery | Compromised data in CIA pipeline/WebSocket feeds | TLS 1.3 pinning, source verification (FUT-001, FUT-002) | Network traffic anomaly detection |
| Exploitation | Schema bypass, translation model manipulation | JSON Schema strict validation (FUT-002), model input filtering | Validation failure alerts, output consistency checking |
| Installation | Persistent cache poisoning, LocalStorage manipulation | Cache TTL enforcement, integrity hashing (FUT-003) | Cache integrity monitoring |
| C2 | AI-orchestrated multi-workflow coordination | Cross-workflow consistency checks (FUT-004), volume limiting (FUT-010) | Workflow correlation analysis |
| Actions on Objectives | Public disinformation via manipulated dashboards/news | Human review gate, source cross-validation, fact-checking | Content integrity alerts, user reporting |
| Future Feature | New Endpoints | Data Sensitivity | External Dependencies | Attack Surface Rating |
|---|
| Real-Time Voting Dashboard | WebSocket endpoint, SSE stream | Critical (live democratic data) | Riksdag API, CDN | ๐ด High |
| CIA Data Pipeline | Nightly fetch endpoint, cache API | High (19 intelligence products) | CIA Platform API, S3 | ๐ด High |
| Politician Profile Pages | Per-MP URL routes (349+ pages) | High (career/voting history) | CIA data, Riksdag API | ๐ก Medium |
| Automated Translation | LLM API calls (14 languages) | Medium (content integrity) | LLM Provider API | ๐ก Medium |
| EU Parliament Cross-Ref | EP MCP Server API, GraphQL | Medium (EU political data) | EP Open Data API | ๐ข Low |
| 5 New Dashboards | Chart data endpoints, D3 renders | Medium (aggregated analytics) | CIA data, Chart.js CDN | ๐ก Medium |
| ๐ H3 โ Bedrock AI Content Engine | Lambda invoke, Bedrock/Polly model endpoints, Step Functions | High (generated public content integrity) | Amazon Bedrock, Polly | ๐ด High |
| ๐ H3 โ Neptune + Bedrock Knowledge Base | openCypher/Gremlin, RAG retrieve/query | High (semantic intelligence) | Neptune Serverless, Bedrock KB | ๐ด High |
| ๐ H3 โ Aurora/OpenSearch/Timestream/DynamoDB | Lambda DB resolvers (private) | Critical (authoritative data) | AWS managed data services, KMS | ๐ด High |
| ๐ H3 โ AppSync GraphQL + API Gateway | Public GraphQL + REST endpoints, subscriptions | High (public API, scraping/DoS target) | AppSync, API Gateway, WAF | ๐ด High |
| ๐ H3 โ Cognito Identity | Auth/token endpoints, user-pool APIs | High (Art. 9 user profiles) | Amazon Cognito | ๐ด High |
| ๐ H3 โ SageMaker Predictive Models | Serverless inference endpoints | High (forecast integrity) | SageMaker, Feature Store | ๐ก Medium |
| ๐ H3 โ Amplify Web PWA + Mobile Apps | App API calls, push, deep links | Medium (client integrity) | Amplify, CloudFront, Shield | ๐ก Medium |
| ๐ H3 โ Conversational AI (Agents/Lex) | Chat/voice sessions, agent tool calls | Critical (autonomous actions) | Bedrock Agents, Lex, Transcribe | ๐ด High |
| ๐ H3 โ Multi-Region Resilience | Route 53 failover, cross-region replication | High (integrity across regions) | Aurora/DynamoDB Global, S3 CRR | ๐ก Medium |
| ๐ H3 โ Nordic/EU Federation | Foreign-parliament + EP API ingestion | Medium (cross-jurisdiction integrity) | DK/NO/FI + EU Parliament APIs | ๐ก Medium |
flowchart LR
subgraph EXTERNAL["๐ External Sources"]
RIKSDAG_API["Riksdag API"]
CIA_API["CIA Platform"]
EP_API["EU Parliament API"]
LLM_API["LLM Provider"]
end
subgraph PIPELINE["โ๏ธ Data Pipeline"]
FETCH["Nightly Fetch"]
VALIDATE["Schema Validation"]
TRANSFORM["Data Transform"]
CACHE["Cache Layer"]
end
subgraph DELIVERY["๐ฆ Content Delivery"]
CDN["CloudFront CDN"]
S3["S3 Static Assets"]
PAGES["GitHub Pages"]
end
subgraph CLIENT["๐ฅ๏ธ Browser Client"]
DASHBOARD["Interactive Dashboards"]
REALTIME["Real-Time Feeds"]
PROFILES["Politician Profiles"]
end
RIKSDAG_API -->|"๐ด T: Data interception"| FETCH
CIA_API -->|"๐ด T: Source compromise"| FETCH
EP_API -->|"๐ก S: API spoofing"| FETCH
LLM_API -->|"๐ด T: Response manipulation"| TRANSFORM
FETCH -->|"๐ก T: Pipeline tampering"| VALIDATE
VALIDATE -->|"๐ก I: Validation bypass"| TRANSFORM
TRANSFORM -->|"๐ก T: Cache poisoning"| CACHE
CACHE -->|"๐ก T: CDN poisoning"| CDN
CACHE --> S3
CACHE --> PAGES
CDN --> DASHBOARD
CDN --> REALTIME
CDN --> PROFILES
style EXTERNAL fill:#e3f2fd,stroke:#2196f3,color:#000
style PIPELINE fill:#fff3e0,stroke:#ff9800,color:#000
style DELIVERY fill:#e8f5e9,stroke:#4caf50,color:#000
style CLIENT fill:#f3e5f5,stroke:#9c27b0,color:#000
| OWASP LLM ID | Threat | Future Relevance | Planned Mitigation |
|---|
| LLM01 | Prompt Injection | ๐ด Critical โ More workflows = larger injection surface | Per-workflow input sanitization, prompt boundary enforcement |
| LLM02 | Insecure Output Handling | ๐ด Critical โ Auto-generated content directly published | HTML sanitization, output schema validation, human review gate |
| LLM03 | Training Data Poisoning | ๐ก Medium โ Indirect via MCP data sources | Source integrity verification, data provenance tracking |
| LLM04 | Model Denial of Service | ๐ก Medium โ Multiple concurrent workflow runs | Workflow concurrency limits, timeout enforcement, rate limiting |
| LLM05 | Supply Chain Vulnerabilities | ๐ก Medium โ LLM model updates may introduce regressions | Model version pinning, output regression testing |
| LLM06 | Sensitive Information Disclosure | ๐ข Low โ Public data only, no PII | Data classification enforcement, output filtering |
| LLM07 | Insecure Plugin Design | ๐ด Critical โ MCP server tools are "plugins" | MCP tool allowlisting, capability-based access control |
| LLM08 | Excessive Agency | ๐ด Critical โ Agents can create/edit content + trigger workflows | Write operation approval gates, output volume limits |
| LLM09 | Overreliance | ๐ก Medium โ Over-trusting AI-generated political analysis | Mandatory human editorial review, confidence scoring |
| LLM10 | Model Theft | ๐ข Low โ Using commercial API, not custom model | API key rotation, access logging |
Mapping note: the table above uses the OWASP LLM Top-10 (2023/2024) IDs already established in this document. For Horizon 3 the same risks intensify as the platform moves from build-time MCP agents to managed Bedrock Agents, Knowledge Bases (RAG) and SageMaker models. The H3-specific intensification is summarised below.
| OWASP LLM Risk | H3 Driver | H3-Specific Mitigation |
|---|
| LLM01 Prompt Injection | Indirect injection via RAG KB context, voice (Transcribe), and user queries to Bedrock Agents | Source allowlist (FUT-011), grounding-score threshold (FUT-012), per-session sandboxing |
| LLM02 Insecure Output Handling | Agents can publish content autonomously to S3/CloudFront | Write-action approval gate (FUT-017), output schema validation, human review gate |
| LLM03/04 Data Poisoning & RAG Manipulation | Bedrock KB ingestion + SageMaker Feature Store are poisonable | RAG provenance tagging (FUT-011), versioned/hashed training data (FUT-018) |
| LLM06 Sensitive Information Disclosure | Cognito introduces real user profiles (Art. 9) into prompts/briefings | Per-user scoping (FUT-014), data minimization, briefing isolation per session |
| LLM07 Insecure Plugin Design | Bedrock Agent "tools" replace MCP tools as the plugin surface | Tool allowlist (FUT-017), capability-scoped IAM (FUT-015) |
| LLM08 Excessive Agency | Multi-agent autonomous task execution (Phase 4) | Read-only default scope, write approval gates (FUT-017), agent-action audit (FUT-016) |
| LLM10 Model Theft | Custom SageMaker forecasting models now exist | Endpoint authZ, model-artifact encryption (FUT-020), access logging |
| Workflow Combination | Attack Scenario | Impact | Detection Difficulty | Planned Control |
|---|
| article-generator + evening-analysis | Coordinated disinformation: article + supporting analysis | Critical | Hard โ requires cross-workflow correlation | FUT-004: Cross-workflow consistency |
| translate + article-generator | Inject bias in translation of generated content | High | Hard โ translation errors look like hallucinations | FUT-005: Back-translation verification |
| realtime-monitor + committee-reports | Time-sensitive misinformation during live events | Critical | Medium โ timing anomalies detectable | FUT-009: Real-time anomaly detection |
| propositions + motions + weekly-review | Long-running narrative manipulation across weekly content | High | Very Hard โ gradual drift is subtle | Longitudinal content consistency analysis |
| (H3) Bedrock Agent + Knowledge Base + Step Functions | Poisoned KB context drives an agent to autonomously publish manipulated briefings | Critical | Very Hard โ looks like a grounded answer | FUT-011, FUT-012, FUT-017 |
| (H3) SageMaker forecast + news-pre-election workflow | Skewed forecast amplified into election-window articles | Critical | Hard โ forecast looks statistically plausible | FUT-018 + SCB/poll cross-validation + expert review |
Fielding the Political-Intelligence Capability Catalog (C1โC32) creates a new, high-value attack surface: an adversary who can corrupt the intelligence pipeline can launder a manipulated judgment through the platform's own credibility. These threats are distinct from generic web threats โ they target analytic integrity, calibration, neutrality and provenance. The catalog's assurance pillar (C26โC32) exists specifically to counter them.
| Component | Threat (STRIDE) | Scenario | Counter-capability |
|---|
| Multi-INT fusion graph (C6) | Tampering | Poisoned edge fabricates a personโfunding link | C8 evidence anchor (no edge without graded dok_id); human-review hold |
| Entity resolution (C1) | Spoofing | Adversary games identifiers to merge/split entities | Deterministic-key + embedding agreement; confidence floor; audit log |
| I&W tripwires (C14) | Denial of warning | Flood of decoy signals desensitizes thresholds / hides real event | Adaptive thresholds, anomaly-on-anomaly, human triage gate |
| Forecasting + calibration (C13/C29) | Tampering / Repudiation | Skewed training data degrades Brier; later denial of bias | Immutable calibration ledger; rolling Brier as release gate; assumption logs |
| FIMI early-warning (C20) | Information disclosure / abuse | Mission-creep toward citizen profiling; false attribution | Hard ethics gate, aggregate-only, advisory-not-accusatory, no profiling |
| SAT / estimative engine (C11/C22) | Tampering | Prompt-injection steers ACH toward a predetermined conclusion | C26 injection screening; devil's-advocate pass; ICD-203 + human sign-off |
| Provenance / C2PA (C8/C9) | Spoofing | Forged content credential passes synthetic evidence as authentic | KMS-signed manifests; deepfake detector; refuse-to-cite on failure |
| Neutrality gate (C31) | Elevation / bias injection | Asymmetric output ships, eroding party-neutrality | CI party-symmetry audit; block-on-asymmetry; dual-control override |
| ID | Scenario | Impact | Detection | Planned control |
|---|
| PI-T1 | Analytic-pipeline data poisoning โ adversary seeds public-looking sources to bias fusion/forecasting | Critical โ manipulated judgments gain platform credibility | Hard โ inputs look legitimate | Source-grading floor, provenance, outlier detection on ingest, calibration drift alarms |
| PI-T2 | Prompt-injection of the SAT/estimative agent via crafted document text | Critical โ steered "reasoned" conclusion | Hard โ looks like grounded analysis | C26 injection screening, Bedrock Guardrails, tool-permission minimization, human sign-off |
| PI-T3 | Provenance forgery / deepfake evidence cited in a briefing | High โ false evidence in the record | Medium โ manifest + detector checks | C2PA verification, KMS signing, synthetic-media detector, refuse-to-cite |
| PI-T4 | Neutrality subversion โ gradual asymmetric framing across products | Critical โ destroys institutional trust | Very Hard โ gradual drift | C31 party-symmetry CI gate, longitudinal symmetry monitoring, dual review |
| PI-T5 | Warning suppression / decoy flooding of I&W tripwires | High โ real coalition/vote event missed | Medium โ signal-rate anomalies | Adaptive thresholds, redundancy across indicators, human-on-the-loop |
| PI-T6 | Calibration gaming โ manipulate which questions resolve to inflate apparent accuracy | High โ misleading trust signal | Hard โ statistically subtle | Pre-registered questions, immutable ledger, independent resolution criteria |
| PI-T7 | FIMI targeting the platform itself โ adversary narratives crafted to trigger false advisories | High โ platform amplifies adversary frame | Hard โ designed to look organic | Attribution-confidence floors, ethics gate, human framing, advisory-only output |
| Scenario | STRIDE | MITRE ATT&CK / ATLAS | OWASP LLM Top 10 |
|---|
| PI-T1 poisoning | Tampering | ATLAS: ML Supply-Chain / Data Poisoning | LLM03 Training-Data Poisoning |
| PI-T2 injection | Tampering / EoP | ATLAS: LLM Prompt Injection | LLM01 Prompt Injection |
| PI-T3 provenance forgery | Spoofing | T1565 Data Manipulation | LLM08 Excessive Agency (citation) |
| PI-T4 neutrality | Repudiation / bias | โ (governance) | LLM09 Overreliance |
| PI-T5 warning suppression | DoS | T1499 Endpoint DoS (signal) | LLM04 Model DoS |
| PI-T6 calibration gaming | Repudiation | โ (integrity) | LLM09 Overreliance |
| PI-T7 FIMI targeting | Information abuse | DISARM TTPs | LLM09 Overreliance |
Governing principle. Every intelligence-capability threat is met by an integrity-by-construction control, not by trust in the model: evidence anchoring, immutable calibration, provenance signing, neutrality-as-a-CI-gate, and a mandatory human-on-the-loop before any estimative product is published. See FUTURE_SECURITY_ARCHITECTURE.md for the corresponding controls.
The platform's mission is democratic transparency โ any threat that subverts, distorts, or undermines public accountability is existential regardless of technical sophistication.
Riksdagsmonitor occupies a unique position: a neutral, AI-powered democratic-intelligence platform whose outputs influence citizen understanding of parliamentary proceedings. This creates a category of threats distinct from generic cybersecurity โ threats to democratic processes, institutional trust, and political neutrality that no standard web-security framework adequately covers.
flowchart TB
subgraph DEMOCRATIC_THREATS["๐ณ๏ธ Democratic Integrity Threats"]
direction TB
DT1["๐ญ Neutrality Subversion<br/>Asymmetric framing across parties"]
DT2["๐ Forecast Weaponization<br/>Biased predictions influence voters"]
DT3["๐๏ธ Information Laundering<br/>Adversary narratives gain platform credibility"]
DT4["๐ Accountability Suppression<br/>Hide/downplay political misconduct"]
DT5["โก Election-Window Exploitation<br/>Time-critical attacks during campaigns"]
DT6["๐ Cross-Border Influence<br/>Foreign interference via federation"]
end
subgraph DEMOCRATIC_CONTROLS["๐ก๏ธ Democratic Safeguards"]
direction TB
DC1["โ๏ธ Party-Symmetry CI Gate<br/>Automated neutrality enforcement"]
DC2["๐ Calibration Ledger<br/>Immutable forecast accuracy tracking"]
DC3["๐ Source-Grade Floor<br/>Minimum evidence threshold"]
DC4["๐๏ธ Human-on-the-Loop<br/>Mandatory editorial oversight"]
DC5["๐ซ Election Cooling Period<br/>Restricted AI during election silence"]
DC6["๐ค Federation Trust Boundaries<br/>Per-source integrity verification"]
end
subgraph DEMOCRATIC_ACTORS["๐ฅ Democratic Threat Actors"]
direction TB
DA1["๐๏ธ State-Sponsored IO<br/>Foreign influence operations"]
DA2["๐ช Domestic Political Operatives<br/>Partisan manipulation attempts"]
DA3["๐ค Autonomous AI Agents<br/>Unintended bias amplification"]
DA4["๐ฐ Disinformation Networks<br/>Coordinated inauthentic behavior"]
end
DA1 --> DT3
DA1 --> DT6
DA2 --> DT1
DA2 --> DT4
DA3 --> DT1
DA3 --> DT2
DA4 --> DT3
DA4 --> DT5
DT1 -.->|mitigated by| DC1
DT2 -.->|mitigated by| DC2
DT3 -.->|mitigated by| DC3
DT4 -.->|mitigated by| DC4
DT5 -.->|mitigated by| DC5
DT6 -.->|mitigated by| DC6
style DEMOCRATIC_THREATS fill:#fff3e0,stroke:#e65100,color:#000
style DEMOCRATIC_CONTROLS fill:#e8f5e9,stroke:#2e7d32,color:#000
style DEMOCRATIC_ACTORS fill:#fce4ec,stroke:#c62828,color:#000
| Attribute | Detail |
|---|
| ๐ญ Threat Agent | Autonomous AI drift (unintentional), sophisticated insider, domestic political operative |
| โ๏ธ Attack Vector | Subtle, consistent asymmetry in AI-generated content: tone, coverage depth, or framing favors one bloc over another across hundreds of articles over weeks/months |
| ๐ฏ Target | The platform's core neutrality invariant โ equal treatment of all 8 Riksdag parties |
| ๐ฅ Impact | Institutional credibility destroyed; platform becomes a perceived partisan tool; cited in political campaigns as evidence of bias |
| ๐ Likelihood | Medium-High (LLM training biases are well-documented; drift is natural without active correction) |
| โ ๏ธ Risk Score | 9.0/10 CRITICAL |
| ๐๏ธ MITRE ATT&CK | T1659 Content Injection (adapted: content bias injection) |
| ๐ก๏ธ Planned Controls | FUT-023: Party-symmetry CI gate (automated), FUT-024: longitudinal sentiment-balance monitoring, dual-review for cross-party articles, mandatory bloc-parity metrics in every weekly review |
| Attribute | Detail |
|---|
| ๐ญ Threat Agent | Election interference actor, nation-state information operation |
| โ๏ธ Attack Vector | Timing-aware attack: manipulate SageMaker forecast inputs or translation pipeline during the 30-day pre-election window when media amplification is maximal |
| ๐ฏ Target | Published seat/coalition predictions, pre-election news coverage, voter information pages |
| ๐ฅ Impact | Biased forecasts amplified by media; potential violation of Swedish election silence conventions; voter behavior influence; legal/regulatory consequences |
| ๐ Likelihood | Medium (high-value target with clear temporal window) |
| โ ๏ธ Risk Score | 8.8/10 CRITICAL |
| ๐๏ธ MITRE ATT&CK | T1565 Data Manipulation, T1583.006 Web Services |
| ๐ก๏ธ Planned Controls | FUT-025: Election cooling-period protocol (restricted AI autonomy, mandatory human approval for all election-relevant content), elevated monitoring, cross-validation with SCB/Valmyndigheten, explicit uncertainty disclosure |
| Attribute | Detail |
|---|
| ๐ญ Threat Agent | Domestic political operative, insider threat, sophisticated lobbyist |
| โ๏ธ Attack Vector | Manipulate content pipeline to suppress, delay, or downplay politically inconvenient information (votes, motions, committee decisions) while amplifying favorable narratives |
| ๐ฏ Target | News article generation, politician profile pages, voting record displays |
| ๐ฅ Impact | Platform becomes complicit in accountability evasion; undermines democratic oversight function; erosion of public trust |
| ๐ Likelihood | Low-Medium (requires insider access or pipeline compromise) |
| โ ๏ธ Risk Score | 7.5/10 HIGH |
| ๐๏ธ MITRE ATT&CK | T1565.001 Stored Data Manipulation, T1070 Indicator Removal |
| ๐ก๏ธ Planned Controls | FUT-026: Completeness audit (automated check that all Riksdag decisions/votes are covered), source-of-record reconciliation with riksdagen.se, time-to-publish SLA monitoring, dual-control on content deletion |
| Attribute | Detail |
|---|
| ๐ญ Threat Agent | Foreign information operation (FIMI), coordinated inauthentic network |
| โ๏ธ Attack Vector | Seed manipulated data into upstream sources (Riksdag API responses, government press releases via g0v.se, foreign parliament feeds) knowing Riksdagsmonitor will automatically ingest, validate, and republish โ laundering disinformation through the platform's trusted reputation |
| ๐ฏ Target | External data ingestion paths: Riksdag API, Regeringen/g0v.se, SCB, IMF, Nordic/EU parliament feeds |
| ๐ฅ Impact | Platform amplifies state-sponsored disinformation with the credibility of "independently verified" parliamentary analysis |
| ๐ Likelihood | Low-Medium (requires compromising or spoofing upstream government sources) |
| โ ๏ธ Risk Score | 8.0/10 HIGH |
| ๐๏ธ MITRE ATT&CK | T1199 Trusted Relationship, T1659 Content Injection |
| ๐ก๏ธ Planned Controls | FUT-027: Multi-source cross-validation (never rely on single source), anomaly detection on ingest deltas, provenance chain verification, source-grading with confidence floors, human escalation for statistically improbable data changes |
Horizon 3 introduces the platform's first authenticated user tier โ transforming privacy from a non-concern to a critical obligation.
flowchart LR
subgraph USER_DATA["๐ค H3 User Data at Risk"]
UD1["๐ Saved Searches<br/>Reveal political interests"]
UD2["๐ Alert Subscriptions<br/>Track political monitoring"]
UD3["๐ Personalization<br/>Behavioral profile"]
UD4["๐ฌ Chat History<br/>Political questions asked"]
end
subgraph GDPR_THREATS["โ ๏ธ Privacy Threats"]
GT1["๐ Art. 9 Violation<br/>Special-category data exposure"]
GT2["๐ต๏ธ Profiling Risk<br/>Political opinion inference"]
GT3["๐ Cross-Border Transfer<br/>Multi-region data residency"]
GT4["๐๏ธ Erasure Complexity<br/>Right-to-be-forgotten across replicas"]
GT5["๐ Linkage Attack<br/>De-anonymization via query patterns"]
end
subgraph PRIVACY_CONTROLS["๐ก๏ธ Privacy Controls"]
PC1["๐ DPIA Mandatory<br/>Before Cognito launch"]
PC2["๐ Data Minimization<br/>No opinions stored server-side"]
PC3["๐ EU Data Residency<br/>eu-west-1 primary"]
PC4["โฑ๏ธ Auto-Purge<br/>Configurable retention"]
PC5["๐ญ Pseudonymization<br/>Query-level privacy"]
end
UD1 --> GT1
UD2 --> GT2
UD3 --> GT5
UD4 --> GT1
GT1 -.->|mitigated by| PC1
GT2 -.->|mitigated by| PC2
GT3 -.->|mitigated by| PC3
GT4 -.->|mitigated by| PC4
GT5 -.->|mitigated by| PC5
style USER_DATA fill:#e3f2fd,stroke:#1565c0,color:#000
style GDPR_THREATS fill:#ffebee,stroke:#c62828,color:#000
style PRIVACY_CONTROLS fill:#e8f5e9,stroke:#2e7d32,color:#000
| Attribute | Detail |
|---|
| ๐ญ Threat Agent | Data breach attacker, insider, law enforcement overreach |
| โ๏ธ Attack Vector | Aggregate saved searches, alert patterns, and chatbot questions to infer a user's political opinions โ GDPR Article 9 special-category data โ without explicit consent for that processing purpose |
| ๐ฏ Target | Cognito user profiles + associated DynamoDB/Aurora query history |
| ๐ฅ Impact | Violation of GDPR Art. 9 (processing special-category data without lawful basis); regulatory fines up to 4% annual turnover; chilling effect on civic engagement |
| ๐ Likelihood | Medium (inference is technically straightforward once data is collected) |
| โ ๏ธ Risk Score | 8.5/10 CRITICAL |
| ๐๏ธ MITRE ATT&CK | T1530 Data from Cloud Storage, T1213 Data from Information Repositories |
| ๐ก๏ธ Planned Controls | FUT-028: Privacy-by-design architecture (no server-side political-opinion storage), client-side encryption for saved queries, aggregate-only analytics, automated data minimization, DPIA gate before any new data collection, privacy-preserving personalization (on-device ML) |
| Attribute | Detail |
|---|
| ๐ญ Threat Agent | Configuration error, multi-region replication misconfiguration |
| โ๏ธ Attack Vector | DynamoDB Global Tables or Aurora Global replication copies EU citizen data to non-adequate jurisdictions (e.g., us-east-1) without proper safeguards |
| ๐ฏ Target | User personal data in DynamoDB/Aurora replicas |
| ๐ฅ Impact | GDPR Chapter V violation (international transfer without adequacy/safeguards); Schrems II implications |
| ๐ Likelihood | Low (requires misconfiguration, but multi-region is complex) |
| โ ๏ธ Risk Score | 6.5/10 MEDIUM |
| ๐๏ธ MITRE ATT&CK | T1537 Transfer Data to Cloud Account |
| ๐ก๏ธ Planned Controls | FUT-029: Geo-fenced replication (user PII stays in eu-west-1), AWS Config rules enforcing data residency, SCP preventing PII table replication to non-EU regions, automated compliance drift detection |
The platform's AI supply chain extends beyond npm packages to foundation models, training data, and MCP tool ecosystems โ each a potential vector for subtle, high-impact compromise.
flowchart TD
subgraph AI_SUPPLY_CHAIN["๐ค AI Supply Chain Attack Surface"]
direction TB
SC1["๐ง Foundation Model Updates<br/>Behavioral regression on upgrade"]
SC2["๐ฆ MCP Server Dependencies<br/>Tool-level supply chain"]
SC3["๐ Training Data Provenance<br/>Poisoned public datasets"]
SC4["๐ง Prompt Template Integrity<br/>Workflow instruction tampering"]
SC5["๐ External API Dependencies<br/>Riksdag/SCB/IMF availability"]
end
subgraph GOVERNANCE_THREATS["โ๏ธ AI Governance Threats"]
direction TB
AG1["๐ EU AI Act Non-Compliance<br/>Regulatory classification change"]
AG2["๐ฏ Model Behavior Drift<br/>Post-update output degradation"]
AG3["๐ Vendor Lock-In Exploitation<br/>AWS service discontinuation"]
AG4["๐ Transparency Debt<br/>Unexplainable model decisions"]
end
subgraph SUPPLY_CONTROLS["๐ก๏ธ Supply Chain Controls"]
direction TB
SCC1["๐ Model Version Pinning<br/>+ regression testing"]
SCC2["๐ SLSA Level 3<br/>Build provenance"]
SCC3["โ
Output Regression Suite<br/>Golden-set validation"]
SCC4["๐ AI Model Cards<br/>Transparency documentation"]
SCC5["๐ Multi-Model Fallback<br/>Provider redundancy"]
end
SC1 --> AG2
SC2 --> AG1
SC3 --> AG2
SC4 --> AG1
SC5 --> AG3
AG1 -.->|mitigated by| SCC4
AG2 -.->|mitigated by| SCC1
AG2 -.->|mitigated by| SCC3
AG3 -.->|mitigated by| SCC5
AG4 -.->|mitigated by| SCC4
style AI_SUPPLY_CHAIN fill:#fff3e0,stroke:#e65100,color:#000
style GOVERNANCE_THREATS fill:#fce4ec,stroke:#c62828,color:#000
style SUPPLY_CONTROLS fill:#e8f5e9,stroke:#2e7d32,color:#000
| Attribute | Detail |
|---|
| ๐ญ Threat Agent | Model provider (unintentional), adversary targeting model training |
| โ๏ธ Attack Vector | A Claude or Bedrock model update introduces subtle behavioral changes: different political framing, altered fact-selection preferences, or degraded neutrality in Swedish-language outputs |
| ๐ฏ Target | All AI-generated content (14 news workflows, translation, analysis) |
| ๐ฅ Impact | Gradual quality/neutrality degradation across all outputs; potentially undetected for days if regression is subtle |
| ๐ Likelihood | Medium (model updates are frequent; political-content testing is specialized) |
| โ ๏ธ Risk Score | 7.0/10 HIGH |
| ๐๏ธ MITRE ATT&CK | T1195.003 Compromise Hardware Supply Chain (adapted: model supply chain) |
| ๐ก๏ธ Planned Controls | FUT-030: Model regression test suite (golden-set political content), automated neutrality scoring on model upgrade, staged rollout (canary โ full), model version pinning with explicit upgrade gates |
| Attribute | Detail |
|---|
| ๐ญ Threat Agent | Regulatory environment change |
| โ๏ธ Attack Vector | EU AI Act enforcement classifies the platform's election forecasting or political analysis as "high-risk AI" (Annex III, Category 8: administration of justice/democratic processes), triggering mandatory conformity assessment, transparency obligations, and human-oversight requirements |
| ๐ฏ Target | Platform operational model, AI governance framework, compliance posture |
| ๐ฅ Impact | Mandatory conformity assessment, potential operational restrictions during compliance period, significant documentation/audit requirements |
| ๐ Likelihood | Medium (political-analysis AI is an emerging regulatory gray area) |
| โ ๏ธ Risk Score | 6.5/10 MEDIUM |
| ๐๏ธ MITRE ATT&CK | N/A (regulatory threat) |
| ๐ก๏ธ Planned Controls | FUT-031: Proactive EU AI Act alignment (maintain documentation as if high-risk), model cards per Bedrock model, human-oversight architecture already designed, transparency reports, regular legal-counsel review of classification guidance |
| Attribute | Detail |
|---|
| ๐ญ Threat Agent | Supply-chain attacker, compromised open-source maintainer |
| โ๏ธ Attack Vector | Compromise an MCP server dependency (riksdag-regering, scb, world-bank, or upstream npm packages) to inject malicious tool responses into agentic workflows |
| ๐ฏ Target | 14 agentic news workflows consuming MCP tool responses as trusted inputs |
| ๐ฅ Impact | Poisoned data flows through multiple workflows, generating and publishing manipulated content at scale |
| ๐ Likelihood | Low-Medium (MCP ecosystem is young, rapidly evolving, less audited than mature npm packages) |
| โ ๏ธ Risk Score | 7.5/10 HIGH |
| ๐๏ธ MITRE ATT&CK | T1195.001 Compromise Software Dependencies and Development Tools |
| ๐ก๏ธ Planned Controls | FUT-032: MCP server integrity verification (SHA-pinned versions, SBOM tracking), response schema validation, anomaly detection on MCP responses, sandboxed tool execution, SLSA Level 3 provenance for all build inputs |
As Riksdagsmonitor expands to Nordic and EU parliaments, it enters a contested information environment where state-level actors actively seek to undermine democratic institutions.
flowchart TB
subgraph GEO_CONTEXT["๐ Geopolitical Context (2026โ2037)"]
direction LR
GC1["๐ท๐บ Hybrid Warfare<br/>Information operations<br/>targeting Nordic democracies"]
GC2["๐จ๐ณ Influence Operations<br/>United Front Work targeting<br/>diaspora communities"]
GC3["๐ด Non-State FIMI<br/>Coordinated inauthentic<br/>behavior networks"]
GC4["๐ค AI-Powered IO<br/>Synthetic media &<br/>automated propaganda"]
end
subgraph PLATFORM_EXPOSURE["๐ก Platform Exposure Points"]
direction LR
PE1["๐ 14-Language Surface<br/>Each language = unique<br/>disinformation vector"]
PE2["๐ฎ Forecast Outputs<br/>Election predictions as<br/>influence leverage"]
PE3["๐ค Federation Trust<br/>Nordic/EU data mesh<br/>as attack vector"]
PE4["๐ Credibility Capital<br/>Platform trust as<br/>laundering vehicle"]
end
subgraph GEO_DEFENSES["๐ก๏ธ Geopolitical Defenses"]
direction LR
GD1["๐ FIMI Detection (C20)<br/>Early-warning indicators"]
GD2["๐ Source Grading<br/>Confidence-floor enforcement"]
GD3["๐ Per-Language Review<br/>Native-speaker verification"]
GD4["โ๏ธ Advisory-Only Output<br/>No accusatory attribution"]
end
GC1 --> PE3
GC1 --> PE1
GC2 --> PE1
GC3 --> PE4
GC4 --> PE2
PE1 -.->|defended by| GD3
PE2 -.->|defended by| GD2
PE3 -.->|defended by| GD1
PE4 -.->|defended by| GD4
style GEO_CONTEXT fill:#ffebee,stroke:#b71c1c,color:#000
style PLATFORM_EXPOSURE fill:#fff3e0,stroke:#e65100,color:#000
style GEO_DEFENSES fill:#e8f5e9,stroke:#1b5e20,color:#000
The 14-language surface creates asymmetric verification challenges: content in languages without native-speaker review capacity (Arabic, Chinese, Japanese, Korean, Hebrew) presents higher manipulation risk.
| Language Tier | Languages | Verification Capacity | Manipulation Risk | Control |
|---|
| ๐ข Tier 1 โ Native Review | Swedish (sv), English (en) | Full native review | Low | Direct editorial oversight |
| ๐ก Tier 2 โ Accessible Review | Norwegian (no), Danish (da), Finnish (fi), German (de), French (fr), Spanish (es), Dutch (nl) | Accessible via Nordic/EU network | Medium | Back-translation + network review |
| ๐ด Tier 3 โ Limited Review | Arabic (ar), Hebrew (he), Japanese (ja), Korean (ko), Chinese (zh) | Limited native review capacity | High | Enhanced back-translation, automated semantic-similarity scoring, community verification pipeline |
| Control ID | Control Name | Threat Addressed | STRIDE Coverage | Implementation Target | Priority |
|---|
| FUT-023 | Party-Symmetry CI Gate (automated neutrality audit) | F13: Neutrality Erosion | T, R | Q2 2026 | ๐ด Critical |
| FUT-024 | Longitudinal Sentiment-Balance Monitoring | F13: Neutrality Erosion | T | Q3 2026 | ๐ด Critical |
| FUT-025 | Election Cooling-Period Protocol | F14: Election Manipulation | T, D | Q3 2026 | ๐ด Critical |
| FUT-026 | Completeness Audit (Riksdag decision coverage) | F15: Accountability Suppression | R, I | Q2 2026 | ๐ก High |
| FUT-027 | Multi-Source Cross-Validation on Ingest | F16: Information Laundering | S, T | Q2 2026 | ๐ด Critical |
| FUT-028 | Privacy-by-Design Architecture (no opinion storage) | F17: Political-Opinion Inference | I | 2027 Q3 | ๐ด Critical |
| FUT-029 | Geo-Fenced Replication (EU PII residency) | F18: Data Residency Violation | I | 2027 Q4 | ๐ก High |
| FUT-030 | Model Regression Test Suite (golden-set) | F19: Model Behavioral Regression | T | Q2 2026 | ๐ก High |
| FUT-031 | Proactive EU AI Act Alignment | F20: Regulatory Reclassification | โ | Q4 2026 | ๐ก High |
| FUT-032 | MCP Server Integrity Verification (SHA-pinned) | F21: MCP Ecosystem Compromise | S, T | Q2 2026 | ๐ด Critical |
| STRIDE Category | Democratic/Privacy Primary Control | Secondary Control | Monitoring |
|---|
| Spoofing | Multi-source cross-validation (FUT-027) | MCP integrity verification (FUT-032) | Source-grade monitoring, ingest anomaly alerts |
| Tampering | Party-symmetry CI gate (FUT-023), model regression suite (FUT-030) | Election cooling protocol (FUT-025) | Longitudinal sentiment monitoring (FUT-024) |
| Repudiation | Completeness audit (FUT-026) | Immutable calibration ledger | Decision-coverage gap alerts |
| Info Disclosure | Privacy-by-design (FUT-028), geo-fenced replication (FUT-029) | Data minimization, auto-purge | Privacy-impact continuous assessment |
| DoS | Election cooling protocol (FUT-025) | Rate limiting, human-escalation gates | Election-window monitoring escalation |
| Elevation | EU AI Act alignment (FUT-031) | Neutrality-as-governance | Regulatory landscape scanning |
| Threat | Horizon | Likelihood (1-5) | Impact (1-5) | Risk Score | Treatment |
|---|
| Gradual neutrality erosion via AI drift | H2 | 4 | 5 | 20 CRITICAL | MITIGATE (FUT-023, FUT-024) |
| Election-period forecast manipulation | H2/H3 | 3 | 5 | 15 CRITICAL | MITIGATE (FUT-025) |
| Democratic accountability suppression | H2 | 2 | 5 | 10 CRITICAL | MITIGATE (FUT-026) |
| Information laundering via platform credibility | H2 | 2 | 4 | 8 HIGH | MITIGATE (FUT-027) |
| Political-opinion inference from usage | H3 | 3 | 4 | 12 HIGH | MITIGATE (FUT-028) |
| Cross-region data residency violation | H3 | 1 | 4 | 4 MEDIUM | MITIGATE (FUT-029) |
| Foundation model behavioral regression | H2 | 3 | 3 | 9 HIGH | MITIGATE (FUT-030) |
| EU AI Act regulatory reclassification | H3 | 3 | 3 | 9 HIGH | MITIGATE (FUT-031) |
| MCP tool ecosystem compromise | H2 | 2 | 4 | 8 HIGH | MITIGATE (FUT-032) |
quadrantChart
title Future Threat Risk Heat Map
x-axis "Low Likelihood" --> "High Likelihood"
y-axis "Low Impact" --> "High Impact"
quadrant-1 "๐ด Critical โ Immediate Action"
quadrant-2 "๐ก High โ Plan Mitigation"
quadrant-3 "๐ข Low โ Monitor"
quadrant-4 "๐ก Medium โ Assess Controls"
"Neutrality Erosion (F13)": [0.75, 0.95]
"Election Manipulation (F14)": [0.60, 0.90]
"Vote Data Tampering (F1)": [0.55, 0.92]
"Agent Excessive Agency (F8)": [0.40, 0.90]
"IAM Escalation (F7)": [0.35, 0.92]
"RAG Poisoning (F5)": [0.55, 0.80]
"Forecast Manipulation (F9)": [0.55, 0.80]
"Information Laundering (F16)": [0.40, 0.78]
"Accountability Suppression (F15)": [0.35, 0.85]
"Model Regression (F19)": [0.55, 0.60]
"MCP Compromise (F21)": [0.40, 0.72]
"API Abuse (F10)": [0.55, 0.45]
"Data Residency (F18)": [0.20, 0.65]
"EU AI Act (F20)": [0.55, 0.55]
| Phase | Trigger | Activities | Output |
|---|
| Pre-Implementation | Feature design finalized | STRIDE analysis, attack tree construction, control design | Feature-specific threat addendum |
| During Implementation | Code review, PR merge | Security testing, SAST/DAST scanning, dependency audit | Security test results, remediation items |
| Post-Deployment | Feature goes live | Penetration testing, monitoring activation, alert tuning | Deployment security report |
| Ongoing | Quarterly review | Threat landscape update, control effectiveness assessment | Updated risk scores, new mitigations |
| KPI | Target | Measurement Method |
|---|
| New feature threat coverage | 100% STRIDE per component | Feature threat model completeness |
| Time to detect data manipulation | < 15 minutes | Integrity check monitoring |
| Cross-workflow anomaly detection rate | > 95% | Consistency check pass rate |
| Translation integrity score | > 98% accuracy | Back-translation verification rate |
| Pipeline data freshness SLA | < 24 hours | Cache timestamp monitoring |
| WebSocket connection security | 100% TLS 1.3 | Connection protocol audit |
| RAG / Knowledge-Base source provenance (H3) | 100% allow-listed | Bedrock KB ingestion audit |
| Bedrock Agent action-scope conformance (H3) | 100% within least-privilege policy | Agent action-group / guardrail audit |
| Cognito MFA enrolment for authenticated tier (H3) | 100% of accounts | Identity provider compliance report |
| IAM least-privilege drift (H3) | 0 over-privileged roles | IAM Access Analyzer findings |
| Multi-region replication integrity (H3) | 100% checksum match | Cross-region reconciliation audit |
Scores split by horizon. H2 threats can materialise 2026โ2027 while the platform is still static; H3 threats only become live once managed AWS services are provisioned (2027+).
| Threat | Horizon | Likelihood (1-5) | Impact (1-5) | Risk Score | Treatment |
|---|
| Real-time vote data manipulation | H2 | 3 | 5 | 15 CRITICAL | MITIGATE (FUT-001, FUT-009) |
| CIA pipeline cache poisoning | H2 | 2 | 4 | 8 HIGH | MITIGATE (FUT-002, FUT-003) |
| Multi-workflow AI orchestration attack | H2 | 2 | 4 | 8 HIGH | MITIGATE (FUT-004) |
| Translation integrity attack | H2 | 3 | 3 | 9 HIGH | MITIGATE (FUT-005) |
| Dashboard rendering DoS | H2 | 3 | 2 | 6 MEDIUM | MITIGATE (FUT-007) |
| Politician profile defacement | H2 | 2 | 3 | 6 MEDIUM | MITIGATE (FUT-006) |
| EU Parliament API compromise | H2 | 1 | 3 | 3 LOW | ACCEPT + MONITOR (FUT-008) |
| Lambda/IAM privilege escalation & data exfiltration | H3 | 2 | 5 | 10 CRITICAL | MITIGATE (FUT-015, FUT-016, FUT-020) |
| Bedrock Agent excessive agency | H3 | 2 | 5 | 10 CRITICAL | MITIGATE (FUT-017) |
| Bedrock Knowledge-Base / RAG poisoning | H3 | 3 | 4 | 12 HIGH | MITIGATE (FUT-011, FUT-012) |
| SageMaker election-forecast manipulation | H3 | 3 | 4 | 12 HIGH | MITIGATE (FUT-018) |
| Cognito account takeover & IDOR | H3 | 3 | 3 | 9 HIGH | MITIGATE (FUT-013, FUT-014) |
| AppSync/API Gateway public-API abuse | H3 | 3 | 2 | 6 MEDIUM | MITIGATE (FUT-019) |
| Multi-region failover & replication tampering | H3 | 1 | 4 | 4 MEDIUM | MITIGATE (FUT-021) |
| Nordic/EU federation cross-jurisdiction integrity | H3 | 2 | 3 | 6 MEDIUM | MITIGATE (FUT-022) |
๐ Document Owner: James Pether Sรถrling, CEO & CISO
๐ Version: 2.1
๐
Last Updated: 2026-06-02 (UTC)
โ
Approved by: James Pether Sรถrling, CEO
๐ Review Cycle: Quarterly (Feb, May, Aug, Nov)
โฐ Next Review: 2026-09-02
๐ข Owner: Hack23 AB (Org.nr 5595347807)
๐ค Distribution: Public
๐ท๏ธ Classification:

| Version | Date | Author | Changes |
|---|
| 2.1 | 2026-06-02 | James Pether Sรถrling | Added Democratic Integrity & Accountability Threats (F13-F16); Privacy/GDPR threats (F17-F18); Supply Chain & AI Governance threats (F19-F21); Geopolitical & FIMI section; extended controls FUT-023โFUT-032; risk heat map; language-specific threat vectors table; 5 new mermaid diagrams |
| 2.0 | 2026-05-31 | James Pether Sรถrling | Major expansion: Three-Horizon framework, Crown Jewel analysis, Attack Trees, Kill Chain mapping, OWASP LLM Top 10, Political-Intelligence capabilities |
| 1.0 | 2026-04-15 | James Pether Sรถrling | Initial future threat model with STRIDE and basic scenarios |
๐ฏ Framework Alignment:

Baseline: the already-implemented IMF STRIDE coverage (T-IMF-01..07) lives in THREAT_MODEL.md ยงIMF. The rows below (T-IMF-F-01..08) add future-state threats that emerge when the runtime migrates to Lambda + Aurora โ they extend the baseline rather than replace it.
Authoritative hub: analysis/imf/README.md ยท analysis/imf/agentic-integration.md ยท analysis/imf/indicators-inventory.json ยท analysis/imf/data-dictionary.md ยท .github/aw/ECONOMIC_DATA_CONTRACT.md
| ID | Element | STRIDE | Description | Likelihood | Impact | Mitigation |
|---|
| T-IMF-F-01 | IMF cache (Aurora) | Tampering | Vintage substitution attack โ older WEO vintage swapped for newer label | LOW | HIGH | SHA-256 payload pin + immutable supersedes-chain + CloudTrail audit |
| T-IMF-F-02 | IMF egress path | DoS | Workflow exhausts IMF rate limit (~30 req/min) โ blocks legitimate articles | MEDIUM | MEDIUM | Cache-first; โค30 req/min self-imposed; exponential back-off; metric alarm |
| T-IMF-F-03 | IMF payload | Repudiation | Article cites "IMF projects 2.1% growth" without vintage label โ unauditable | MEDIUM | MEDIUM | economicProvenance row required for every economic claim; cite_text mandatory |
| T-IMF-F-04 | IMF Datamapper schema | Tampering | Upstream schema change between WEO Apr/Oct cycles silently corrupts cache | LOW | HIGH | Version-pinned client guard; CI integration test against IMF sandbox |
| T-IMF-F-05 | IMF data licence | Repudiation | Article reuses IMF figure without attribution (licence violation) | LOW | MEDIUM | Article footer template auto-emits IMF citation block; lint enforces |
| T-IMF-F-06 | IMF cache fallback | Information disclosure | Stale vintage served to readers as current | LOW | MEDIUM | Vintage-age badge (yellow >3mo, red >6mo); ECONOMIC_DATA_CONTRACT v2.1 banned phrases |
| T-IMF-F-07 | IMF + SCB cross-validation | Tampering | IMF SWE figure diverges >0.3pp from SCB national-accounts (silent error) | LOW | MEDIUM | Quarterly cross-validation worker opens editorial-review issue |
| T-IMF-F-08 | IMF script supply chain | Elevation | tsx scripts/imf-fetch.ts execution path tampered upstream | LOW | HIGH | Script in-repo; reviewed; no dynamic eval; harden-runner egress audit |
| Tactic | Technique | IMF-specific application |
|---|
| TA0006 Credential Access | T1552 Unsecured credentials | Datamapper transport is unauthenticated; SDMX 3.0 uses an Azure APIM subscription key (IMF_SDMX_SUBSCRIPTION_KEY) stored only as a GitHub Actions secret (never on disk, never logged); rotation playbook in analysis/imf/agentic-integration.md |
| TA0007 Discovery | T1083 File and directory discovery | Cache directory permissions (read-only to article workers) |
| TA0009 Collection | T1530 Cloud storage object | Aurora row-level access controls |
| TA0040 Impact | T1485 Data destruction | Supersedes-chain prevents destructive overwrite |
Egress hosts (allow-list): www.imf.org (Datamapper REST ยท WEO/FM, unauthenticated), api.imf.org (SDMX 3.0 REST ยท IFS/BOP/DOTS/GFS/PCPS/ER/MFS_IR/MFS_PR, subscription-key authenticated via the Azure APIM Ocp-Apim-Subscription-Key header / IMF_SDMX_SUBSCRIPTION_KEY secret). Both HTTPS-only; payloads are public macro statistics with no PII.
Canonical rule. Every economic claim in a Riksdagsmonitor article cites an IMF dataflow first; World Bank citations are reserved for governance, environment and social residue (the classes IMF does not publish). SCB is the Swedish-specific ground truth layer. See ECONOMIC_DATA_CONTRACT.md v2.1 for the banned-phrase list and vintage discipline (>6 mo โ annotation).
๐ณ๏ธ Empower citizens ยท ๐ Strengthen democratic accountability ยท ๐ต๏ธ Illuminate the political process
ยฉ 2008โ2026 Hack23 AB (Org.nr 559534-7807) ยท Maintainer: James Pether Sรถrling, CISSP CISM