Countering Russian cyber influence operations

Last Friday in SANS NewsBites, I saw an article talking about how NSA has not taken any action against the reported Russian cyber influence operations in US elections.  Many laypeople have commented to me that the US can’t continue to operate in an environment other countries can try to influence our elections. But my follow up question to them is always “how would you fix this?” The answers often start out strong, but when we dig into them a little, we find out there are significant problems with implementation.

*Full disclosure: I’m on the editorial board for SANS NewsBites. You should subscribe and use it for expert opinions on cybersecurity news.

Influence operations in cyberspace are a form of asymmetric warfare.  As we have learned from Facebook’s identification of advertising buys by Russian organizations, the cost to launch an influence operation is low.  Unfortunately, the cost to counter an influence operation is very high.  There are very limited options to counter a cyber influence operation and they all have serious problems. We intentionally won’t address the legal issues with each – let’s assume that the legislature will clear any legal hurdles that need to be addressed.

Options for dealing with cyber influence operations

  1. Counter with your own influence operations to negate undue influence from foreign actors
  2. Hack those performing the cyber influence operations and prevent them from performing the operations
  3. Sanctions or other political pressure against those conducting the cyber influence operations
  4. Conduct cyber influence operations against the aggressor hoping for a “cyber cease fire”
  5. Force the platforms used for influence to limit their susceptibility to such operations
  6. Criminally charge those involved in influence operations

Counter with your own influence operations to negate undue influence from foreign actors

In the US, this is a non-starter. Any influence operation performed aimed at countering foreign influence will be rightly seen as government propaganda.  The US has a long national tradition of disliking propaganda, no matter who produces it. Even if you support US government run propaganda operations, who gets to decide the message? One of the problems with calling editorial stories “fake news” is that what is an isn’t “fake” is a matter of opinion. As we have seen, each political party would have quite a different message to send in countering propaganda operations.

Hack those performing the cyber influence operations and prevent them from performing the operations

This is one of those ideas that sounds like a great plan, but won’t work in reality. Attackers can buy social media ads with very little top cover. If you doubt me, head over to Facebook and see how easy it is to buy promoted content. You just need a credit card. There’s no amount of hacking NSA or CYBERCOM can perform that will stop Russians (or others) from buying social media advertisements or posting on social media. Even if we target the ringleaders of these organizations, we still won’t stop the organizations themselves from accomplishing their goals. Creating and building new accounts costs a fraction of what it takes to get them taken offline. This is asymmetric warfare at its finest. Forcing your adversary to spend $10 for every $2 you spend is how the US won the Cold War with the Soviet Union. Cyber false flag operations are a real issue here too – the US could be manipulated into hacking someone other than those responsible for the influence operation in the first place.

Sanctions or other political pressure against those conducting the cyber influence operations

I’ll let politicians smarter than me tackle this, but I think we can agree that sanctions rarely work to actually stop activity we are seeking to prevent. It was just revealed that North Korea was working with Syria to build chemical weapons and Iran is providing missiles to Yemen – all this despite sanctions.  It may be worth sanctioning the governments responsible as a token measure, but don’t expect it to actually stop the cyber influence operations.

Conduct cyber influence operations against the aggressor hoping for a “cyber cease fire”

This will likely escalate political tensions long before it results in a “cyber cease fire.” Further, it suffers from the potential problem of cyber false flag operations (so does hacking back). If we get the attribution wrong and conduct our own influence operations in retaliation, this is likely to cause more problems than it could ever solve.

Force the platforms used for influence to limit their susceptibility to such operations

While this may initially sound intellectually appealing, on deep investigation it sounds a lot like censorship.  It also suffers from the issue of placing undue burden on platform owners to decide what content is and isn’t acceptable. Who gets to make those decisions? Whether or not you agree with this course of action has much to do with whether your core values match those who are making the “acceptable content” decisions. At the end of the day, platform owners profit from engagement. Platform owners will continue to favor engaging content and promoted content – whether that content is objectively false will only be an issue if it impacts the use of the platform.

Criminally charge those involved in influence operations

As most of you probably know, I am strongly against this course of action. The people who conduct these operations are nation-state cyber operators. They are working missions for their governments, following the laws of their respective governments. Charging people individually will come back to hurt the US when other nations begin charging our cyber operators for their actions. Particularly in repressive regimes, operators do not have the luxury to say “no, I won’t do that.” They’re just following orders. I’ll change my opinion in cases where cyber operators conduct war crimes (e.g. intentionally shutting off power to a whole hospital to assassinate a single target), but we aren’t there yet (or if we are, that certainly hasn’t been made public).

Conclusion / Wrap up

I’ve laid out some likely courses of action and noted why each one isn’t likely to be effective in countering this activity. I wish I could tell you that I have an answer for what to do, but I don’t.  Cyber influence operations are a serious issue for us, but nothing short of censorship is likely to stop them or limit their effectiveness. Except in the most egregious cases of hate speech (e.g speech inciting violence), I’m 100% against censorship (even if I’m personally offended by that speech).

The purpose of this post was to critically consider our options for dealing with this cybersecurity threat. Platform owners may choose to limit particular types of speech and that is certainly their right. But beyond platform owners “doing the right thing” (which may not actually be the right thing), this is a harder problem than it might seem at first. Unlike most other posts, this one doesn’t have a suggested answer.  A better educated populace is certainly one such answer, but that seems like a long tail solution. In any case, hopefully you have found this post educational and can use it to better articulate your own arguments on the topic of how to respond to cyber influence operations.