How would you respond to a mass disinformation campaign targeting your services, personnel and infrastructure? How would you prepare for the ‘all too real’ potential consequences of such a campaign that could quickly overwhelm traditional cyber defences? What can we all learn from the lessons of the recent US election campaign and what does it mean for law enforcement, national security and cyber security professionals?
Recent turmoil in US cities fuelled by the manipulation of social media via malicious influencers, conspiracy theorists and weaponised bots, pose a new level of threat to government institutions both within the US and beyond. In particular, the rise of online conspiracy theorists and the targeting of government employees and IT infrastructure, often backed by malicious state sponsored threat actors that are all too keen to take advantage of this ‘Information War’ in pursuit of their strategic objectives. Truth, it seems is the first casualty.
The exploitation of social media and the targeting of government systems by highly motivated, technically capable, extremist groups is not a new phenomenon. That said, the degree of convergence between these elements has reached unprecedented levels. In August 2020, US based mainstream media[1] quoted a recent internal study conducted by one social media company[2] which estimated that conspiracy theorist groups (those deemed violent and non-violent) now numbered almost three million members and followers and that the nature of Facebook algorithms was inadvertently acting as a catalyst, fuelling the growth of these groups and assisting the spread of their message and dystopian world view.
The ability to deliberately create a compelling false narrative, that is distributed quickly and effortlessly over social media forums, messaging boards and applications can fuel chaos and lead to violent public order issues with real world consequences.
Whether that is concerted ‘state backed’ efforts to undermine the integrity of vote counting machines within the critical national infrastructure (CNI) of state institutions or the bewildering series of conspiracy theories that motivate a heavily armed individual to show up at a pizza restaurant believing himself to be a self-appointed, You Tube vigilante. The risk posed to public safety as a result of the potentially disastrous consequences from this type of malicious social media activity should not be understated.
Throughout 2020, state sponsored threat actors have shown themselves to be particularly adept at this type of social media manipulation and their ability to ‘pour petrol’ on potential areas of tension within western democracies has seen the resources of law enforcement, national security and intelligence agencies scrambling to respond and often pushed to the limit in their efforts to manage the risks to public safety.
The hard work, professionalism and dedication of cyber security professionals in the US Homeland Security, Centre for Cyber Security and Infrastructure Security Agency (CISA) whilst reported to be successful in preventing malicious foreign intervention in the US voting system infrastructure, proved insufficient to ensure the head of the agency kept his job after appearing to contradict the Twitter posts of the Commander in Chief – the US President. Who can envy the task of the individual who had to brief the US President on the concept and benefits of cyber security, risk management and IT asset hardening. It would appear that even success and hard work is no guarantee of approval from the boss when it proves counter to the narrative of the incumbent political administration.
For those of us sitting comfortably in the UK watching the unfolding drama in the US our attention must not give way to complacency. We need to guard against the mistake of thinking this ‘couldn’t happen here’.
Such has been the concern amongst UK policy makers in respect of the C19 anti-vaccination (Anti-Vax) campaign that in November this year the Sunday Times reported the Ministry of Defence had mobilised the resources of the Defence Cultural Specialist Unit (DCSU). DCSU are a specialist unit of the British Army tasked (amongst other objectives) with supporting psychological operations (PSYOPS) in respect of ‘Target Audience & Human Terrain Analysis’.
PSYOPS or Influence Operations (INFOPS) are a core part of military doctrine and most nations, including hostile nation states, possess this capability. In Russia it is also known as ‘Maskirovka’ and has featured in most military campaigns since the start of the 20th Century, most recently in the Ukraine.
Leaving aside the question of the legitimacy of using UK military assets to essentially influence the opinion of the British public, this move is significant insomuch as it is the clearest example yet of the concern amongst UK policy makers as to the potential threat posed by the Anti-Vax movement and the voluntary uptake of the C19 vaccine. It would be interesting to know how much effort is being directed to mobilise cyber security resources and how these are being deployed to protect NHS IT systems, infrastructure and that of vaccination supply chain partners such as Pfizer.
Whilst it is true to say UK government health professionals have successfully countered the conspiracy theories of the Anti-Vax groups for some time. It is equally true to say they have never had to operate in the face of such a toxic social media narrative in the midst of a resource sapping pandemic. Complex challenges that continue to evolve while UK (and overseas) based Anti-Vax groups are learning how to conduct successful social media driven disinformation campaigns from their US counterparts.
An insight perhaps, in November 2020 the Politico website quoted a former senior special advisor to Matt Hancock[3] setting out how the UK Government wanted to take on the conspiracy narrative of the Anti-Vax movement and was preparing to:
“…fight the misinformation virus on multiple fronts, with a rebuttal team at the center aided by Whitehall departments spreading positive messages in their areas and working with social media firms to take down damaging content…”
This level of concern amongst UK policy makers seems very well placed when the latest YouGov polling suggests that around a fifth of the UK population will not take the vaccine. In his comments Jamie Njoku-Goodwin points out the potential that a 25% refusal figure would have to undermine the success of the vaccination campaign.
In the UK we have already seen social media based disinformation flex in response to various stages of the pandemic, whether it is the spreading of the virus via 5G mobile phone masts or the equally false claims that children will be inoculated without parental consent and that the UK Armed Forces will be deployed to ‘force’ recipients to take the vaccine.
Much is riding on the UK Governments effort to successfully counter these narratives and win this battle in the ‘Information War’ but it remains to be seen whether they possess the resources, tools and political will to endure over the long term.
[1] NBC News
[2] Facebook
[3] Jamie Njoku-Goodwin