Digital Influence Mercenaries: Profits and Power Through Information Warfare by James J. F. Forest  (Naval Institute Press) is part of an unintended trilogy of recent books that attempt to explain the current credibility crisis in news and public opinion. Together with Bombarded and Social Engineering, Digital Influence Mercenaries explores the world of stealthy entities that drive online disinformation campaigns.

The book seeks to answer the questions that are on the lips of so many concerned observers: What on earth is happening in the public sphere? How are tens of millions of people persuaded to believe demonstrably false stories—often with serious real-world implications?

How can it be that 70% of Republicans believe that Donald Trump won the 2020 election when 62 lawsuits making this claim have been thrown out of court and news outlets have revealed that the main architects of the “stop the steal” story privately admitted that they knew they were lying? (This is my example, not Forest’s.) It seems the very definition of reality itself is up for grabs these days, and the outlook for the truth is not looking so hot.

Forest, a professor at the University of Massachusetts, offers an answer. He lays out a compelling, detailed analysis of the murky world of disinformation for profit. As he explains, there is an entire industry of firms and individuals who are available to manipulate public opinion online. As warfare becomes more digital, mercenary armies are at the ready. They engage in deception and dirty tricks for money. In some cases, they are entrepreneurial businesses that invent outrageous fake stories and sell ads on sites that draw millions of page views.

As warfare becomes more digital, mercenary armies are at the ready.

Other times, they are hired and paid to achieve specific opinion goals, like convincing people that the Pope had endorsed Donald Trump for president, a notoriously successful fake story in 2016.  Forest helpfully frames the issue in terms of the “attention economy,” an economic theory that links the ability to get attention with the ability to make money and gain political power. In his view, the supply and demand nature of the attention economy has created a market for firms and entrepreneurs using the tactics, tools and strategies of digital influence warfare to gain profit and power.

Digital influence mercenaries are not only involved in politics. They are available to help with corporate messaging initiatives and international relations.

Forest also broadens his focus to let the reader know that digital influence mercenaries are not only involved in politics. They are available to help with corporate messaging initiatives and international relations. Clients can include governments, private citizens (e.g., billionaires) and intelligence agencies. Indeed, as he points out, this is not a solely American phenomenon. Numerous countries are going through their own experiences of well-honed digital lies erupting into real crises.

The digital influence mercenary, according to Forest, often develops his or her messaging based on an analysis of the audience. False stories and conspiracy theories are carefully constructed to speak to the fears and suspicions of a target group. Social Engineering also digs into this topic. Both books reveal how in-depth data analytics, often performed on illegally or improperly obtained data sets, drive strikingly successful results in terms of disinformation influence.

The book begs a question: Why do people fall for this stuff?

The book begs a question: Why do people fall for this stuff? It’s one thing to gin up a story that says Hilary Clinton is a shoplifter. It’s another thing for that story to be reshared a hundred million times. The answer, which Forest doesn’t delve too deeply into, is that we all seem to have a great appetite for fake stories that confirm our pre-existing beliefs and tribal inclinations. He does point out, however, that those on the political right are more likely to believe and share false stories. Research reveals that people on the left tend to get their information from multiple sources, so they are less inclined to buy into patent falsity.

None of this is new, of course. The use of lies to manipulate public opinion has been around for centuries. It’s possible that we’re simply going through the inevitable cycle of political disruption that occurs during a media technology revolution. The invention of the printing press led to the Reformation. The invention of radio aided the rise of fascism. The invention of television shook up American politics and ended the era of the party bosses, and so forth. The dawn of the Internet and social media era is now creating a fake new microcosm that disrupts all established purveyors of actual news.

There is a feeling that perhaps this time it really is different.

At the same time, there is a feeling that perhaps this time it really is different. The power of mass, instant connectivity and social networks seems to be producing a force in public life that none of us could have imagined. Nor does anyone have any particularly bright ideas about what to do about the problem.

Forest does believe that there are solutions. He believes that social media platforms can do more to screen out bots and malicious fake stories. He credits them with efforts made to date, though. He cites a number of examples of social media companies taking the initiative to improve the quality of information on their platforms. Much work remains to be done, however.

Bombarded: How to Fight Back Against the Online Assault on Democracy, by Cyrus Krohn, with Tom Farmer, takes on an ambitious topic. The authors’ goal is to demonstrate how digital media threatens to destroy American democracy. In particular, they focus on the problem of misinformation and disinformation that floods online news platforms and social media sites—distorting public opinion, and the very notion of objective reality itself.

Krohn has unique credentials to write this book. He was one of the first hires at Slate.com, a site he helped build into one of the first viable online news sites. He then went to work as a digital media advisor to a number of high-profile political campaigns. He is an insider in a business that most of us experience, in alarmed ignorance, from the outside.

Krohn leads off with a bit of dystopian fiction, which is a clever and engaging way to get the reader to think about where today’s toxic infosphere is headed. Imagine the year 2032, he asks, where deepfake-style holograms of the American president greet you at the door and ask how you liked your most recent latte at Starbucks. Like another book I reviewed, Social Engineering, Bombarded wants you to be very concerned about how much personal data the tech industry is (legally and illegally) harvesting about you and putting to work changing your mind on various issues.

The book then goes into what seems like a digression into Krohn’s career history, starting with his days working for Vice President Dan Quayle and helping to launch Slate. It’s not a digression, however, as Krohn leads the reader right up to the present moment of digital chaos. Understanding the origins of today’s online firehoses of lies is helpful for grasping the depth of the information crisis of American politics and the broader society.

The issue Krohn wants the reader to understand is that there is a line out there, a line between aggressive microtargeting of voters with data analytics and using those analytics and artificial intelligence (AI) techniques to confuse people and agitate them in toxic ways. That line has been crossed, in his view, and any sentient observer of American politics in the last five years should concur.

Krohn’s exhibit A in showcasing the insane frenzy of disinformation is the public’s response to the COVID 19 pandemic. This episode should put to rest any notion that online platforms can do what they originally claimed they were capable of: unifying the American people to form communities that could improve the health of our democracy. The appalling opposite is true, and hundreds of thousands of lives ended as a result of the deliberate, cynical politicization of the pandemic using digital media.

Books are always like insects in amber, reflecting the moment they came out. This book went to press before the 2020 election. A sequel is needed to cover the lethal madness of January 6 and related disinformation campaigns.

One of Krohn’s main concerns is that voters, confronted with a daily deluge of half-truths, will simply give up and disengage from the political process. This is already happening for younger voters, who are not up for the job, per Mark Zuckerberg’s advice, that Facebook users decide for themselves what is true and what is a lie on the platform. Is anyone up for such a job? Turned off, trusting no one, they opt out of voting, which will lead to the effective death of US as a self-governing republic.

The book takes aim at the naïve and irresponsible abdication of authority present on major platforms. Coupled with lax or nonexistent regulation of data collection, opaque algorithms and the collapse of the news business, it’s a pretty grim situation. The country’s polity is heading for a bad place, if we’re not already there.

One issue that’s implicit in the book is the notion of the “Attention Economy,” a term coined by the economist Herbert Simon. Per Simon and others who have studied the issue, the explosion in information has put a premium on people’s attention. Attention translates into economic and political power. And, the pressures of the attention economy lead to unintended negative consequences.

If attention were paid to the right issues, this book would not be number 954,000 on Amazon. Heather Cox Richardson would have the top-rated nightly news show and political campaigns would not traffic in twenty second sound bites and lying Facebook memes. Instead, the attention economy rewards people who are talented at hogging attention for all the wrong reasons. See Trump, Donald.

This leads to one of the paradoxes of the book. There are solutions, as Krohn suggests. There could be better regulation of data collection and online platforms, for example. The news industry might find a way to reinvent itself to be profitable. However, the forces that have been unleashed by the Internet stand in the way. In an era when there is so little trust in government, and elections go to the biggest and most well-funded liars, reforming digital media is probably a fool’s errand.

Krohn is not a pessimist, however. He believes these problems can be solved, or at least addressed. I am not so sanguine about it, though I do share his view that the younger generation may make peace with the new infosphere in ways that us older folks can’t imagine. For example, tuning out all the lies might be a good thing. Perhaps a general understanding that online news is not to be trusted will create opportunities for outlets that can demonstrate some commitment to the truth.

My only issue with this book is its relentless drive to be evenhanded. I understand why the authors have tried so hard not to take a particular side. The issue affects the entire society. It’s a non-partisan issue. However, if we can be real for a second, it’s not quite fair to say that the COVID pandemic disinformation problem just happened because of a corrupt infosphere. One side promulgated outlandish, lethal lies while the other tried in vain to prop up the truth. Any serious solution to this problem has to take aim at the biggest violators of the public trust, as much as its looks at reforming the digital ecosystem.

To get a copy of Bombarded, visit https://amzn.to/3K8mxp6

The new book from MIT Press, Social Engineering: How Crowdmasters, Phreaks, Hackers, and Trolls Created a New Form of Manipulative Communication, by Robert W. Gehl and Sean T. Lawson, takes on an important and ambitious topic. At the risk of oversimplification, Gehl and Lawson set out to answer a question that’s been perplexing thinking, observant Americans for the last six years: What on earth is going on with public opinion and the news—and politics?

While not everyone would agree with their perspective, Gehl and Lawson reasonably argue that the country has gone more or less crazy, with tens of millions of people passionately believing in demonstrable falsehoods. As they say in the book, “The United States is awash in a disorienting and sometimes deadly media environment.” People share, and believe, manipulative information about elections and bogus COVID cures on social media.

It’s a good question, and Social Engineering offers an approach to answering it. Gehl and Lawson, who are professors at Louisiana Tech and University of Utah, respectively, break the problem down and offer an analysis of how mass communications have changed over the least few years. Their high-level takeaway is that the dividing line between mass communications, as exemplified by radio and TV, and interpersonal communications like email and chat, has blurred. We are now in an era of what they call “masspersonal” communications.

Masspersonal communications is the practice of sharing a personalized message with a mass audience.

Masspersonal communications is the practice of sharing a personalized message with a mass audience. They cite examples of Facebook memes that are exquisitely tuned to each social media user’s personal psychographic profile. The election manipulation by Cambridge Analytica is a case in point. After extensive data mining on American voters, the firm and its affiliates were able to target millions of people with personalized messages that motivated them to support Donald Trump for president.

As they point out, the general strategy here is not at all new. It is social engineering, the archetypal approach to public relations set out by industry pioneers like Edward Bernays and Doris Fleischman in the 1920s. These original social engineers believed the public relations professions had a right, if not a duty, to mold public opinion with the goal of reengineering society into a better version of itself. In this endeavor, they likened themselves to other heroic engineers of the era, who solved problems of public health and human existence through innovative engineering solutions.

As we all know, however, not all PR professionals have been so noble in the intervening century. The Bernays/ Fleischman techniques have been exploited to obscure the danger of cigarettes, nuclear power and other societal ills.

What’s different now is that technology has made it possible to take the Bernays/ Fleischman strategy of mass persuasion and combine it with data analytics to deliver social engineering at a personalized level. Mass plus personal. Masspersonal.

Today’s social engineers have borrowed sly tactics from hackers, the other group whose members call themselves social engineers.

In this, the authors argue, today’s social engineers have borrowed sly tactics from hackers, the other group whose members call themselves social engineers. The book quotes the notorious hacker Kevin Mitnick extensively. In Mitnick’s view, as the authors relate, it is usually far easier to hack a person than it is to hack a computer system. The social engineers, starting with the original “phone phreaks” of the 1970s, are adept at tricking people into sharing passwords and granting access to restricted networks. The masspersonal social engineers also use these techniques to manipulate large groups of people, not just one victim at a time.

Gehl and Lawson have definitely done their homework here. They offer extensive analysis and examples of the connections between hacking, Mitnick style social engineering and their paradigm of masspersonal social engineering. Much of this is outside of my academic and intellectual weight class, so I don’t feel entirely comfortable assessing the validity of their arguments. I will offer a few observations, however.

At a base level, this book provides an insightful and accurate take on a communications revolution that is reshaping politics and society in general. The revolution is new and still unfolding, so it’s hard to pin down exactly what’s happening—except, what’s happening now is different from what happened before. If nothing else, the book is a wakeup call for people who are struggling to understand the forces shaping public opinion in baffling ways.

The book also answers an implicit question asked by societal and political observers, which is why the old techniques of rebutting opposing points of view in the media no longer work.

The book also answers an implicit question asked by societal and political observers, which is why the old techniques of rebutting opposing points of view in the media no longer work. Why is that when Donald Trump sent out a tweet, tens of millions of people aligned with his point of view, while no amount of guest appearances on Sunday talk shows or New York Times op-eds could do anything to budge his base? The book gives an answer. Masspersonal communications is more powerful and reaches deeper into the public consciousness than traditional mass media.

One area where I think the authors have missed the point, however, is in their eulogies for the Bernays/ Fleischman model of mass communications and social engineering. They say it no longer exists. This may be true in the sense that pompous elitists don’t strut around bragging that they are in control of public opinion. That’s passé. However, their techniques are very much with us.

It’s important not to ignore the raw power of television and radio today in shaping opinions and driving political action. A brief glance at Fox News and its ability to persuade millions of people to think a certain way should blunt any claim that traditional social engineering is dead. Its practitioners are simply lurking in the shadows, rather than claiming a divine right to reshape American society.

Overall, this is an important book, one that contributes much-needed insights into a confusing and alarming time.

To order the book, visit https://amzn.to/36lBhCJ

Trust in Computer Systems and the Cloud by Mike Bursell, CEO and co-founder of Profian, takes on a subject of monumental importance in cybersecurity that most of us tend to overlook it on a daily basis. Trust, functioning as a noun and verb, is the root of almost every control and countermeasure in the world of security. Yet, trust is poorly—or at least incompletely—understood by most security and computing professionals. Bursell’s book sets out to address this imbalance.

As Bursell notes, trust is one of those concepts that most of us understand intuitively, even if we cannot accurately express its meaning. Indeed, that’s part of the problem. The issue of trust is so deeply wired into the human brain that we may have difficulty accessing it in a productive, conscious way. We might speak about trust using our own definition, but the person we’re speaking with hears a different definition.

The book set me thinking that what we call trust is probably a brain stem function that predates the existence of modern homo sapiens. If two animals encounter each other in the wild, they are wired to either trust, or distrust each other. Survival depends on a fast, accurate trust reflex. So it goes in modern human society and computing, as well.

Bursell has his work cut out for him. He does an admirable job of breaking down trust into elements the reader can understand and apply to computing and security tasks. He draws on sociology and philosophy to offer a basic definition of trust, which is “the assurance that one entity holds that another will perform particular actions according to a specific expectation.”

However, as he quickly adds, things can get a lot more complicated in a computing context. In computing, we have at a minimum trust between user and system, from system to system, and entity to entity. Plus, as Bursell points out, trust is always contextual, and one of the contexts is always time. Nor are trust relationships symmetrical. Your device may trust data coming from Amazon Web Services. But that does not mean that AWS trusts your device.

Bursell offers a relatable example. You might trust your brother. Do you trust your brother to perform brain surgery on you, though? You trust your brain surgeon to perform surgery, but what if your surgeon operated on you 20 years ago. Now, he’s 80 years old. Do you still trust him to perform surgery? That’s the time context. AWS might trust your device for the next 10 minutes, but not next year, if it has not re-authenticated it.

The book then takes these fundamental precepts of trust and applies to the wide and messy world of computing and the cloud. He explores trust in the context of computer and network security, looking at the complexities of trust in system design and the challenges of implementing system-to-system trust. The book looks at the concept of Zero Trust (ZT), which is one of today’s most prominent applications of trust principles in cybersecurity.

Later chapters deal with trust in Blockchains, open source software, hardware and the cloud. He discusses trust domains and communities of practice for trust inside organizations. For hardware, Bursell focuses on the “root of trust,” which is a critical enabling factor in systems that depend on trusted hardware to function securely. Bursell is thorough and pragmatic throughout. This book is a great resource for anyone who needs to understand trust and its many manifestations across the worlds of computing, cybersecurity and business.

The new Ransomware Protection Playbook, by Roger Grimes (Wiley) is a book that I suspect will be widely embraced by cybersecurity practitioners. Grimes, a renowned expert in cybersecurity, provides a comprehensive rundown on the nature of ransomware and a methodical set of practices to mitigate the threat. For anyone who is tasked with ransomware defense, this book should be the first reading assignment, even for experienced professionals.

I love thoroughness delivered by people who know what they’re talking about. This is what Grimes offers. He starts out by describing the long, little-known history of ransomware, which dates back to 1989. He then proceeds to explain how ransomware works, explicating the technological nuances that define many different varieties of this threat. He differentiates between ransomware that merely encrypts data, for example, and ransomware that encrypts entire systems at the root level.

The book is divided into two parts. The first goes into depth on the nature of ransomware. This includes chapters on preventing ransomware, cybersecurity insurance and legal considerations. The insurance section alone is worth the price of the book. It is so easy to get confused by the ins and outs of the evolving policies on the market. Grimes also provides an analysis of the legal consequences for paying a ransom. In this, he is accurate, but perhaps not practical. It’s not clear that anyone will face real life legal ramifications for the increasingly common decision to pay off the attacker.

The second part of the book deals with detection and recovery. This covers the need to develop a ransomware response plan, along with the means to detect an attack. Grimes then proceeds to discuss how to minimize ransomware damage and initiate early response. Later chapters deal with what not to do and the future of ransomware.

The book also asserts that ransomware is not just any old threat. It’s the most serious threat facing cybersecurity teams today. This is the context for Ransomware Protection Playbook. I, too, have emphasized the importance of combatting ransomware to stop the implants it leaves behind. He identifies the rise of Bitcoin as one of the primary factors responsible for the rampant growth of ransomware and the increase in the size of ransoms paid.

The reader will learn how to establish a strategy to protect an organization from ransomware attacks—both through prevention and response. Grimes’ basic insights, however, are a bit sobering. Social engineering remains one of the most effective modes of ransomware attack. People click on links they think were sent by friends. It’s an extremely difficult attack type to defend against, except through user training. And, as most practitioners know, people are the weakest link in cyber defense, and training people has limited impact.

He further notes that security basics, such as patch management, are critical to effective ransomware mitigation. Again, this is a workload that many organizations struggle with. One can hope that warning about how deficiencies in patching and other foundational security measures create greater ransomware risk exposure may spur people into action.

This is a highly worthwhile book for anyone who needs to get a better understanding of ransomware and devise an effective plan for reducing its potential impact.

This is a review of the second edition of Cyberspace in Peace and War, by Professor Martin Libicki of the US Naval Academy. I reviewed the first edition when it came out in 2019. The second edition contains numerous updates. The world of cyberspace has also changed, with threats and catastrophic cyber incidents such as the Solar Winds hack making the ideas expounded by Professor Libicki all the more relevant to the national security establishment and other policy makers.

First off, this is not a book. It is four books compiled into a single 250,000-word volume. It is a massive treasure trove of fundamental knowledge and insights into one of the most challenging strategic issues confronting the United States today. The four sections of the book cover Foundations, Operations, Strategies and Norms. A cybersecurity novice reading this book will emerge from the experience with basic knowledge of virtually all the strategic and operational aspects of cyberwar and cyber defense. An experienced policymaker will have his or her sense of the topic honed and enriched by this book.

This new version of the book includes more extensive analysis of cyberespionage. It goes into depth on the difficult behavior of Russia, for example, while also breaking down some myths about China—e.g., their networks are much easier to penetrate than some would have you believe. Libicki backs up his assertions with real life examples and compelling hypothetical scenarios.

One challenge that Libicki has taken on is to place cyberspace in the narrow context of military command and national security policymaking. This not an easy process, because cyberspace, and technology in general, is a far broader domain. Yet, as Libicki shares, implicitly, in a war scenario a military commander must make specific decisions about using, or not using the cyber weapons at his or her disposal.

The book delivers a deliciously thorough rebuke to the many armchair experts who claim to possess simple solutions to the immense national security challenge. Easy answers are simply not available in this arena, and Libicki breaks this down in case after case. A crowd-pleasing idea like “Let’s hack them back!” will create a cascade of unanticipated counter-threats, as he explains in multiple iterations throughout the book.

At the same time, there are parts of this book that are somewhat infuriating. While the military and national security establishment are necessarily segregated from the rest of the world, in terms of cyberwar, it is not realistic to ignore, as Libicki tends to do, the broader reality of America’s cyber vulnerabilities. For instance, a recurring theme of the book is that cyberattacks have temporary effects, and can generally be reversed within a few hours. Therefore, he argues, military commanders should not assume that a cyber weapon will have much of an impact on a broader military operation.

This may be true, in a one-off analysis, but the current reality is that China has used cyberwar techniques to visit extensive, or even complete degradation of America’s war fighting capabilities over the least 15 years. The intellectual debate about attack vs. counteract has long passed in this situation. China has stolen the plans for our biggest weapons system, the F-35, and can be credibly accused of breaking into every major defense contractor, American industrial corporation and weapons program. China has also stolen virtually all of the US government’s personnel data, naval codes and more.

In parallel, Russia has penetrated thousands of government and business targets, giving it the ability to wreak havoc on the American economy and society if it feels so provoked. It is easy to imagine a scenario where America’s defense industrial complex, along with wide swaths of the country itself are paralyzed by cyberattacks—rendering the country’s defenses extremely impaired. These factors must be added to any narrow “use ‘em or lose ‘em” analysis of military cyber weapons.

Even the basic idea of the cyber weapon can be misplaced in this confusing moment. The book often places cyber weapons in an NSC-68 style policy framework, as if they were hydrogen bombs. They are not. Cyberwar has a lot more to do with espionage and sabotage over the long run, not a yes/no command decision on a kinetic battlefield. The risks we face are far more serious, in my view, than Libicki suggests in his tight policy dialogues.

Book details

Publisher ‏ : ‎ Naval Institute Press; 2nd edition (September 15, 2021)

Language ‏ : ‎ English

Hardcover ‏ : ‎ 512 pages

ISBN-10 ‏ : ‎ 1682475867

ISBN-13 ‏ : ‎ 978-1682475867

The latest volume in the MIT Press Essential Knowledge Series is Cybsecurity, by Duane C. Wilson. The book is being released on September 14, 2021, but it is available for pre-order now. In keeping with the series’ goal of offering accessible, concise pocket-sized books on topics of current interest, Cybersecurity offers a useful rundown of definitions and explanations about cybersecurity for the everyday user. It covers subjects such as cryptography and public key infrastructure, malware, blockchain and more.

At 160 pages, the book is very easy to digest. A glossary adds to its value for the general reader. Wilson is highly skilled at explaining advanced concepts in easy-to-understand language. In this, he is doing a great service to the fields of information technology, business and government—as it seems today that everyone needs to be a cybersecurity practitioner at some level. In our day-to-day lives, we are routinely asked to make decisions about our data privacy, for example. This book describes how the underlying mechanisms of data privacy work, along with many other relevant areas of knowledge.

The book contains a helpful overall discussion of the origins of cybersecurity, a discipline that predates the digital age. Protecting information has been a goal of the military and industry for centuries, with a variety of ingenious techniques developed along the way to defend against nosy adversaries. The computer has served as a vast accelerator of these practices.

Wilson then covers subjects such as cryptography, an area of technology where most of us (including myself) think we know more about it than we actually do. He gives the reader a straight explanation of the common approaches to encryption. He also delves into the layers of cybersecurity, establishing for the reader that security is not a single solution, but rather an orchestration of many different technologies and policies.

One interesting aspect of the book relates to Wilson’s assertion that there are six “pillars” of cybersecurity. Traditional “infosec” would have you think there are just three: confidentiality, integrity, and availability. Wilson adds authentication, authorization, and non-repudiation, which refers to validating the source of information. Experts might disagree, but it’s a valid point, in my view. You cannot really have confidence in data integrity, for instance, if you cannot authenticate system users.

This book is highly relevant today, as it seems that every object in modern life is now connected to the internet. As Wilson points out, all of this connectivity creates risk exposure. Convenient as it may be, for example, to have a smart phone, the device makes our data more vulnerable to theft.