In the weeks since indictments were handed down from the ongoing investigation into Russia's influence over the 2016 United States election, much has come to light. A picture has emerged of a massive global effort to create division and sow conflict — not necessarily to elect one person or another.
The primary point was fear, uncertainty, and doubt (FUD), and the powerful consequences of those emotions on the human psyche. It was an effort to destroy confidence in the country's democratic institutions, to break people's trust in the election system, and, by extension, the legitimacy of our democracy.
The system of bots continues to exploit other hot-button issues, such as the gun debate, not to sway the issue one way or the other but to fuel tension and mistrust.
This struggle for the mind to exercise control has been going on since time immemorial, but today's tools are different. The attackers have brought their world here — on a giant scale that can only be accomplished by a government.
The same techniques could be used to short a stock, spark a consumer boycott, or affect some as yet unforeseen challenge to a company's survival. As such, this is an issue all security professionals need to be thinking — and doing something — about.
From Timelines to Algorithms
It's known that Facebook was a primary vehicle for these efforts; much of the reason for that ties back to a shift in strategy the company made over the past few years, primarily for ad revenue.
Facebook's feed formerly was organized as a chronological timeline of posts from users' own connections. But as the platform grew, the company started to provide a more curated newsfeed to increase the stickiness of content. Facebook began allowing users to subscribe to feeds, and then suggested and highlighted certain content to individuals based on sentiment they expressed, as determined by algorithms.
At first, this wasn't problematic because trolls had trouble getting through. Fact-checking efforts disallowed much of the marginal content trolls produced — and actual human checkers were screening it. But after complaints from several groups whose content was being blocked, the company dialed down its fact-checking efforts and allowed content to be posted virtually unfiltered, creating a toxic environment that enabled unprecedented access and communication from one nation to another and directly to the populace.
We know now that the online influence efforts exploiting social media were not just online but also on the ground, with people organizing protests in the real world while trolls and bots posted, replied, and stoked sentiment on various social media platforms.
The US Government's Outdated Paradigm
As this situation escalated, it didn't entirely catch the US government off guard. The press has shown that the intelligence community (IC) knew fairly early. So why didn't the IC do more? The roadblocks were part philosophical and part legal. To the US government, businesses are responsible for their own cyber defense. Protecting companies is not part of the government's remit online, outside of critical infrastructure like power plants and water supplies.
Here we have an information resource that half the country is plugged into, but our laws are designed such that the government doesn't protect that resource directly. Congress and our government's infrastructure are set up to protect citizens from physical harm through the military and law enforcement.
But this a new horizon, and governments in the US and all over the world are struggling to respond. Many people are beginning to wonder if and how this needs to change. Even Facebook CEO Mark Zuckerberg admitted recently that he's "not sure we shouldn't be regulated." Maybe social media is critical infrastructure after all.
New Technologies, New Responsibilities
What can companies and organizations do? There will be new technologies involved, and, as usual, the defenders are far behind in developing them. There are also some shifts in both philosophy and technique that can help companies adapt to this new world.
Although the larger effect of this issue is to sway public sentiment in the physical realm, a big part of the problem still lies in social media bots in cyberspace — software processes automatically running on a network with the purpose of engaging and inputting on those networks to drive behaviors or perceptions determined by their programmers.
This, of course, is familiar territory for security orgs. Detecting a bot by posting speeds and other indicators is common in the industry. But what the organization decides to do after detection is up for debate. Right now, we just stop it, but it may be worthwhile for security pros to stymie the bots with error codes or other means to spend more time understanding what the bots are up to, where they come from, and who controls them.
Advances in technologies like artificial intelligence and natural language processing will bring the next level of defense against information warfare. Being able to detect whether the same person is behind dozens of personas or posts will require a level of data and correlation that today is available only to the world's top intelligence agencies. But we know the industry is working on it. Clearly, Facebook has the most data to work with right now, but this would also be a natural extension to the security industry's intelligence or reputation services.
Ultimately, these are human threats, and humans need to evolve along with them. Where security professionals have tended to gather intelligence about our own applications, our own networks, PCs, and logs, it's imperative in this new world that they look beyond their own four walls to see what is happening elsewhere.
CISOs need to be cognizant of how events transpiring in the physical world could bring their organization under the crosshairs. Similarly, the role of government should evolve its idea of defense to extend more fully into the digital realm.
In this environment, users are more important than ever. It's up to everyone to be critical about the information they encounter, no matter where it comes from. Look for corroboration. Find actual facts from trusted sources. Don't believe everything you're told.
In the age of weaponized FUD, it's up to all of us to become security pros.
Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.