The first of a three-part series on Russian cyberattacks and disinformation campaigns against the United States
Last month, the United States Senate Select Committee on Intelligence published its second report on “Russian Active Measures Campaigns and Interference in the 2016 Election.” It focused on Russia’s use of social media in pursuit of campaign interference. This is the first in a series of three articles dealing with the implications of this report and related issues.
“The American public, indeed all democratic societies, need to understand that malign actors are using old techniques with new platforms to undermine our democratic institutions.” – Senator Richard Burr, Chairman of United States Senate Select Committee on Intelligence
Testifying before the Committee in 2017, Georgetown Professor Roy Godson stated that Russian social media attacks were made at “the coordinated direction by the centralized authoritarian hierarchy of a combination of overt and covert techniques that propagate Russian (formerly Soviet) ideas, political military preference and undermine those of their democratic adversaries.” Senator Richard Burr, the Committee Chairman, framed the issue by stating, “The American public, indeed all democratic societies, need to understand that malign actors are using old techniques with new platforms to undermine our democratic institutions.”
What’s Really Going on Here?
Russian attacks on the American democratic system are a serious matter. Though such disinformation strategies are far from new, modern technology give them more impact on American society than ever before. During the cold war, the Soviet Union would plant false news stories and watch as the traditional print and TV media slowly picked them up, or not. Today, a false story can be launched in St. Petersburg at lunchtime, get blasted out on social media, cause a “controversy” that is covered on TV here a few hours later and then get tweeted out by the President at dinner time—instantly reaching a Super Bowl-sized audience at no cost. This is a categorically different form of disinformation from what we’ve dealt with in earlier eras.
Today, a false story can be launched in St. Petersburg at lunchtime, get blasted out on social media, cause a “controversy” that is covered on TV here a few hours later and then get tweeted out by the President at dinner time—instantly reaching a Super Bowl-sized audience at no cost.
What can be done about this problem? To solve a problem, one must first understand it. What is disinformation on social media, really? Is it simply media manipulation, or is it more like a cyberattack? Russian social media disinformation campaigns involve social engineering, automated bots and fake identities. These are some of the ingredients of hacking. For context, a few weeks after the Senate report came out, Facebook disclosed that it had deleted 5.4 billion fake accounts in the previous year. Should we consider disinformation a form of hacking? That would suggest some approaches to mitigating the problem.
The Experts Weigh In: Yes. Disinformation Is Hacking.
I put the question “Is Russian social media disinformation a form of hacking?” to a group of industry experts. I got an astonishing volume of feedback on the issue, which I will now share. Some felt disinformation was hacking. Others disagreed. Many experts offered insights that show how complex and nuanced the issue can be.
Aaron Turner of HighSide takes a fairly broad view of hacking. He uses Kevin Mitnick’s definition, which includes manipulation of people as a path to hacking machines. As he put it, “Looking at Russian disinformation campaigns, they are designed to manipulate people for them to take certain actions within systems to further Russian foreign policy objectives. Using Mitnick’s activities as the standard, Russian campaigns do qualify as hacking as they attempt to manipulate others for their own gains.”
Richard Henderson, Head of Global Threat Intelligence at Lastline, concurred, saying, “Most people, when they think of the word hacking think of someone in a hoody sitting in a dark room actively trying to break into systems. Did Russia ‘hack’ social media in this way to sow discord in the west? Of course not. But hacking also has another definition – making things do something they weren’t designed to do. With this in mind, Russia most definitely has hacked major social media to support their intelligence goals: by understanding exactly how these systems operate and how things are quickly disseminated, they have been able to build disinformation campaigns that capitalize on the viral nature of social media.”
For Michael J. Covington, Ph.D. , VP, Product Strategy at Wandera, “Any disinformation campaign is absolutely a form of hacking. The Russian attacks aimed at election manipulation are some of the most sophisticated and layered initiatives I’ve seen, given the diverse systems they’re trying to break.” Nick Kael (CISSP, CCSK, CEH) CTO of Ericom Software uses Techopedia’s broad definition of hacking, which includes attempts to ‘alter system or security features to accomplish a goal that differs from the original purpose of the system’. He said, “Based on this definition, hacking can very well include activities such as social media trolling and Twitter bots, and the Russian disinformation campaigns that have been in the news are great examples. “
“The Russian attacks aimed at election manipulation are some of the most sophisticated and layered initiatives I’ve seen, given the diverse systems they’re trying to break.” – Michael J. Covington, Ph.D. , VP, Product Strategy at Wandera
“I absolutely see the active social media/fake news/social engineering efforts of the Russians similar to, if not the same as, hacking,” said Catherine A. Allen, CEO, Shared Assessments. She added, “It is manipulation of online information and access to individuals. Often names or social media accounts are first hacked for access, then the false news is sent to them.” Joseph Lorenzo Hall, Senior VP at The Internet Society, agreed, noting “Yes, trolling and disinformation are forms of hacking, in that they are social engineering using digital systems to accomplish an adversary’s goal that is not in the interest of the target.”
Marcus Chung, CEO of BoldCloud shared, “Yes, I would most definitely characterize any ‘disinformation campaigns’ including Russian state campaigns as a highly effective form of social engineering and malicious hacking.” Terence Jackson, CISO of Thycotic, echoed this sentiment, saying, “The disinformation is indeed the hacking of humans. Social media influences so much of our culture and opinions. As we have seen, the mass spreading of false information can affect the way we view certain things.”
According to Jamil Jaffer, VP Strategy and Partnerships at IronNet Cybersecurity, “While disinformation campaigns may not be a classic form of hacking, in that they don’t involve unauthorized access to a computer system or data, they certainly are designed to alter Americans’ perception of the political environment and to undermine our confidence in our election system, our elected leaders, and our rule of law institutions.”
A comparable number of industry experts did not see Russian disinformation as hacking. For instance, free speech and privacy advocate Dave Glassco, who serves as CEO of the private social media hub Neone, commented, “No, they did not hack their way into Facebook or Twitter. They simply abused the business models of tech companies that never cared about their user’s privacy to begin with.” Christopher Day, Chief Cybersecurity Officer at Cyxtera also didn’t see disinformation as hacking. Further to Dave Glassco’s point, he said, “The only think being ‘hacked’, in my view, is the Terms of Acceptable Use on any given social media platform.”
“No, they did not hack their way into Facebook or Twitter. They simply abused the business models of tech companies that never cared about their user’s privacy to begin with.”- Dave Glassco, CEO of the private social media hub Neone
Ian Eyberg, CEO of NanoVMs, emphatically declared, “Absolutely not. Buying ads legally is not the same thing as breaking into a computer. I feel this issue has been politicized to death.” Rene Kolga, VP of Product Strategy at Nyotron, added, “This is not a form of hacking and calling it hacking just confuses the issues. Hacking implies gaining access to and manipulating a computer without permission. The Russians are essentially trolling and running a disinformation campaign by using Twitter bots.”
As Inga Goddijn, executive vice president, Risk Based Security, feels that calling social media manipulation ‘hacking’ just obscures what’s actually happening. For her, “‘hacking’ is some form of unauthorized access to otherwise restricted systems or data. Disinformation campaigns take advantage of human nature coupled with how most public forums are designed to work.”
The historical context mattered to Chris Morales, head of security analytics at Vectra. As he observed, “Joseph Stalin coined the term disinformation a century ago and Russian use began with a ‘special disinformation office’ in 1923. The point being this is not new, and disinformation is not a form of hacking. It is social engineering and the internet and social media are the newest medium.”
Daniela Perlmutter, VP of Marketing at CyberInt, offered a similar historical viewpoint, noting, “Russia’s disinformation campaigns fall under Russia’s Information Warfare doctrine (which has existed since WWII); information warfare defines Russia’s use of information and its spread gain an advantage over its rivals. Hacking, on the other hand, is the ability to gain unauthorized access to data in a system or computer, and hence is different.”
Casey Ellis, Bugcrowd Founder, CTO and Chairman, saw it in comparable terms. He said, “I’d classify them as psychological operations (PSYOPS), which is basically a broadly deployed form of social engineering (and often referred to as ‘hacking’). I reserve the term ‘hacking’ to the concept of manipulating computer systems to do something they weren’t initially designed to do.”
“I reserve the term ‘hacking’ to the concept of manipulating computer systems to do something they weren’t initially designed to do.” – Casey Ellis, Bugcrowd Founder, CTO and Chairman
“’Hacking’ is a fluid word that people use in a variety of different ways today,” said Corey Nachreiner, CTO at WatchGuard Technologies. He then commented, “While social engineering and the use of technical tools to spam social networks might qualify to some as ‘hacking,’ I tend to reserve that word for attacks that actually use exploits or technical tricks to gain unauthorized access to an organization’s network or devices. The spread of disinformation is less hacking, and more just social engineering leveraging spamming tools.”
“In my opinion, disinformation campaigns are different from the traditional view of ‘hacking’ largely because they do not seek to disrupt, deny, destroy or abuse the IT systems themselves,” said Emilio Iasiello, Senior Cyber Intelligence Analyst at LookingGlass Cyber Solutions. His insight was,
“Disinformation campaigns need the system architecture to function properly.”
As always, getting a multiplicity of expert insights can be both informative and disoriented. It makes you think, though. Or at least, it should. Russian disinformation is a challenging issue to deal with. In the next article in this series, we’re going to ask how—and if—these disinformation campaigns are linked to other Russian cyberattacks like ransomware.