Cloud

6/27/2018
02:30 PM
Mike Convertino
Mike Convertino
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Russia, Facebook & Cybersecurity: Combating Weaponized FUD in the Social Media Age

It's up to everyone -- users, security pros, government -- to be critical about the online information we encounter.

In the weeks since indictments were handed down from the ongoing investigation into Russia's influence over the 2016 United States election, much has come to light. A picture has emerged of a massive global effort to create division and sow conflict — not necessarily to elect one person or another.

The primary point was fear, uncertainty, and doubt (FUD), and the powerful consequences of those emotions on the human psyche. It was an effort to destroy confidence in the country's democratic institutions, to break people's trust in the election system, and, by extension, the legitimacy of our democracy.

The system of bots continues to exploit other hot-button issues, such as the gun debate, not to sway the issue one way or the other but to fuel tension and mistrust.

This struggle for the mind to exercise control has been going on since time immemorial, but today's tools are different. The attackers have brought their world here — on a giant scale that can only be accomplished by a government.

The same techniques could be used to short a stock, spark a consumer boycott, or affect some as yet unforeseen challenge to a company's survival. As such, this is an issue all security professionals need to be thinking — and doing something — about.

From Timelines to Algorithms
It's known that Facebook was a primary vehicle for these efforts; much of the reason for that ties back to a shift in strategy the company made over the past few years, primarily for ad revenue.

Facebook's feed formerly was organized as a chronological timeline of posts from users' own connections. But as the platform grew, the company started to provide a more curated newsfeed to increase the stickiness of content. Facebook began allowing users to subscribe to feeds, and then suggested and highlighted certain content to individuals based on sentiment they expressed, as determined by algorithms.  

At first, this wasn't problematic because trolls had trouble getting through. Fact-checking efforts disallowed much of the marginal content trolls produced — and actual human checkers were screening it. But after complaints from several groups whose content was being blocked, the company dialed down its fact-checking efforts and allowed content to be posted virtually unfiltered, creating a toxic environment that enabled unprecedented access and communication from one nation to another and directly to the populace.

We know now that the online influence efforts exploiting social media were not just online but also on the ground, with people organizing protests in the real world while trolls and bots posted, replied, and stoked sentiment on various social media platforms.

The US Government's Outdated Paradigm
As this situation escalated, it didn't entirely catch the US government off guard. The press has shown that the intelligence community (IC) knew fairly early. So why didn't the IC do more? The roadblocks were part philosophical and part legal. To the US government, businesses are responsible for their own cyber defense. Protecting companies is not part of the government's remit online, outside of critical infrastructure like power plants and water supplies.

Here we have an information resource that half the country is plugged into, but our laws are designed such that the government doesn't protect that resource directly. Congress and our government's infrastructure are set up to protect citizens from physical harm through the military and law enforcement.

But this a new horizon, and governments in the US and all over the world are struggling to respond. Many people are beginning to wonder if and how this needs to change. Even Facebook CEO Mark Zuckerberg admitted recently that he's "not sure we shouldn't be regulated." Maybe social media is critical infrastructure after all.

New Technologies, New Responsibilities
What can companies and organizations do? There will be new technologies involved, and, as usual, the defenders are far behind in developing them. There are also some shifts in both philosophy and technique that can help companies adapt to this new world. 

Although the larger effect of this issue is to sway public sentiment in the physical realm, a big part of the problem still lies in social media bots in cyberspace — software processes automatically running on a network with the purpose of engaging and inputting on those networks to drive behaviors or perceptions determined by their programmers.

This, of course, is familiar territory for security orgs. Detecting a bot by posting speeds and other indicators is common in the industry. But what the organization decides to do after detection is up for debate. Right now, we just stop it, but it may be worthwhile for security pros to stymie the bots with error codes or other means to spend more time understanding what the bots are up to, where they come from, and who controls them.

Advances in technologies like artificial intelligence and natural language processing will bring the next level of defense against information warfare. Being able to detect whether the same person is behind dozens of personas or posts will require a level of data and correlation that today is available only to the world's top intelligence agencies. But we know the industry is working on it. Clearly, Facebook has the most data to work with right now, but this would also be a natural extension to the security industry's intelligence or reputation services.

Ultimately, these are human threats, and humans need to evolve along with them. Where security professionals have tended to gather intelligence about our own applications, our own networks, PCs, and logs, it's imperative in this new world that they look beyond their own four walls to see what is happening elsewhere.

CISOs need to be cognizant of how events transpiring in the physical world could bring their organization under the crosshairs. Similarly, the role of government should evolve its idea of defense to extend more fully into the digital realm.

In this environment, users are more important than ever. It's up to everyone to be critical about the information they encounter, no matter where it comes from. Look for corroboration. Find actual facts from trusted sources. Don't believe everything you're told.

In the age of weaponized FUD, it's up to all of us to become security pros.  

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

 

Mike Convertino has nearly 30 years of experience in providing enterprise-level information security, cloud-grade information systems solutions, and advanced cyber capability development. His professional experience spans security leadership and product development at a wide ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
6/27/2018 | 11:02:30 PM
FB
Unfortunately, the other huge fallout from this, I think, is that FB has found itself compelled to rely less on algorithms and more on outright spying and snooping on people.
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-1265
PUBLISHED: 2018-12-17
IBM Security Guardium 10.0, 10.0.1, 10.1, 10.1.2, 10.1.3, 10.1.4, and 10.5 does not validate, or incorrectly validates, a certificate. This weakness might allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) techniques. IBM X-Force ID: 124740.
CVE-2017-1272
PUBLISHED: 2018-12-17
IBM Security Guardium 10.0 and 10.5 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 124747. IBM X-Force ID: 124747.
CVE-2017-1597
PUBLISHED: 2018-12-17
IBM Security Guardium 10.0, 10.0.1, 10.1, 10.1.2, 10.1.3, 10.1.4, and 10.5 Database Activity Monitor does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 132610.
CVE-2018-1889
PUBLISHED: 2018-12-17
IBM Security Guardium 10.0 and 10.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 152080.
CVE-2018-1891
PUBLISHED: 2018-12-17
IBM Security Guardium 10 and 10.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 152082.