Cloud

6/27/2018
02:30 PM
Mike Convertino
Mike Convertino
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Russia, Facebook & Cybersecurity: Combating Weaponized FUD in the Social Media Age

It's up to everyone -- users, security pros, government -- to be critical about the online information we encounter.

In the weeks since indictments were handed down from the ongoing investigation into Russia's influence over the 2016 United States election, much has come to light. A picture has emerged of a massive global effort to create division and sow conflict — not necessarily to elect one person or another.

The primary point was fear, uncertainty, and doubt (FUD), and the powerful consequences of those emotions on the human psyche. It was an effort to destroy confidence in the country's democratic institutions, to break people's trust in the election system, and, by extension, the legitimacy of our democracy.

The system of bots continues to exploit other hot-button issues, such as the gun debate, not to sway the issue one way or the other but to fuel tension and mistrust.

This struggle for the mind to exercise control has been going on since time immemorial, but today's tools are different. The attackers have brought their world here — on a giant scale that can only be accomplished by a government.

The same techniques could be used to short a stock, spark a consumer boycott, or affect some as yet unforeseen challenge to a company's survival. As such, this is an issue all security professionals need to be thinking — and doing something — about.

From Timelines to Algorithms
It's known that Facebook was a primary vehicle for these efforts; much of the reason for that ties back to a shift in strategy the company made over the past few years, primarily for ad revenue.

Facebook's feed formerly was organized as a chronological timeline of posts from users' own connections. But as the platform grew, the company started to provide a more curated newsfeed to increase the stickiness of content. Facebook began allowing users to subscribe to feeds, and then suggested and highlighted certain content to individuals based on sentiment they expressed, as determined by algorithms.  

At first, this wasn't problematic because trolls had trouble getting through. Fact-checking efforts disallowed much of the marginal content trolls produced — and actual human checkers were screening it. But after complaints from several groups whose content was being blocked, the company dialed down its fact-checking efforts and allowed content to be posted virtually unfiltered, creating a toxic environment that enabled unprecedented access and communication from one nation to another and directly to the populace.

We know now that the online influence efforts exploiting social media were not just online but also on the ground, with people organizing protests in the real world while trolls and bots posted, replied, and stoked sentiment on various social media platforms.

The US Government's Outdated Paradigm
As this situation escalated, it didn't entirely catch the US government off guard. The press has shown that the intelligence community (IC) knew fairly early. So why didn't the IC do more? The roadblocks were part philosophical and part legal. To the US government, businesses are responsible for their own cyber defense. Protecting companies is not part of the government's remit online, outside of critical infrastructure like power plants and water supplies.

Here we have an information resource that half the country is plugged into, but our laws are designed such that the government doesn't protect that resource directly. Congress and our government's infrastructure are set up to protect citizens from physical harm through the military and law enforcement.

But this a new horizon, and governments in the US and all over the world are struggling to respond. Many people are beginning to wonder if and how this needs to change. Even Facebook CEO Mark Zuckerberg admitted recently that he's "not sure we shouldn't be regulated." Maybe social media is critical infrastructure after all.

New Technologies, New Responsibilities
What can companies and organizations do? There will be new technologies involved, and, as usual, the defenders are far behind in developing them. There are also some shifts in both philosophy and technique that can help companies adapt to this new world. 

Although the larger effect of this issue is to sway public sentiment in the physical realm, a big part of the problem still lies in social media bots in cyberspace — software processes automatically running on a network with the purpose of engaging and inputting on those networks to drive behaviors or perceptions determined by their programmers.

This, of course, is familiar territory for security orgs. Detecting a bot by posting speeds and other indicators is common in the industry. But what the organization decides to do after detection is up for debate. Right now, we just stop it, but it may be worthwhile for security pros to stymie the bots with error codes or other means to spend more time understanding what the bots are up to, where they come from, and who controls them.

Advances in technologies like artificial intelligence and natural language processing will bring the next level of defense against information warfare. Being able to detect whether the same person is behind dozens of personas or posts will require a level of data and correlation that today is available only to the world's top intelligence agencies. But we know the industry is working on it. Clearly, Facebook has the most data to work with right now, but this would also be a natural extension to the security industry's intelligence or reputation services.

Ultimately, these are human threats, and humans need to evolve along with them. Where security professionals have tended to gather intelligence about our own applications, our own networks, PCs, and logs, it's imperative in this new world that they look beyond their own four walls to see what is happening elsewhere.

CISOs need to be cognizant of how events transpiring in the physical world could bring their organization under the crosshairs. Similarly, the role of government should evolve its idea of defense to extend more fully into the digital realm.

In this environment, users are more important than ever. It's up to everyone to be critical about the information they encounter, no matter where it comes from. Look for corroboration. Find actual facts from trusted sources. Don't believe everything you're told.

In the age of weaponized FUD, it's up to all of us to become security pros.  

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

 

Mike Convertino has nearly 30 years of experience in providing enterprise-level information security, cloud-grade information systems solutions, and advanced cyber capability development. His professional experience spans security leadership and product development at a wide ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
6/27/2018 | 11:02:30 PM
FB
Unfortunately, the other huge fallout from this, I think, is that FB has found itself compelled to rely less on algorithms and more on outright spying and snooping on people.
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Data Privacy Careers Are Helping to Close the IT Gender Gap
Dana Simberkoff, Chief Compliance and Risk Management Officer, AvePoint, Inc,  8/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12579
PUBLISHED: 2018-08-20
An issue was discovered in OXID eShop Enterprise Edition before 5.3.8, 6.0.x before 6.0.3, and 6.1.x before 6.1.0; Professional Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0; and Community Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0. An attac...
CVE-2018-14020
PUBLISHED: 2018-08-20
An issue was discovered in the Paymorrow module 1.0.0 before 1.0.2 and 2.0.0 before 2.0.1 for OXID eShop. An attacker can bypass delivery-address change detection if the payment module doesn't use eShop's checkout procedure properly. To do so, the attacker must change the delivery address to one tha...
CVE-2018-14023
PUBLISHED: 2018-08-20
Open Whisper Signal (aka Signal-Desktop) before 1.15.0-beta.10 allows information leakage.
CVE-2018-1394
PUBLISHED: 2018-08-20
Multiple IBM Rational products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 138425.
CVE-2018-1517
PUBLISHED: 2018-08-20
A flaw in the java.math component in IBM SDK, Java Technology Edition 6.0, 7.0, and 8.0 may allow an attacker to inflict a denial-of-service attack with specially crafted String data. IBM X-Force ID: 141681.