What to Do About Russian “Active Measures”

This is the third in a series of three articles about Russian state-sponsored “Active Measures” attacks against the United States. The Active Measures targeting American elections, business and government include data breaches, cyber-physical attacks on critical infrastructure and social media disinformation. The first article asked if social media disinformation should be classified as hacking. The point of this discussion was to understand if disinformation campaigns were cyberattacks that could be mitigated with cybersecurity countermeasures.

The second article sought to establish links between Russia’s multiple modes of attack. Indeed, looking at the three attack fronts, one could conclude that they are unrelated and perhaps not attributable to Russian government strategies. Expert opinion on these questions was mixed. Some felt that disinformation was not hacking. Others believed the individual Russian Active Measures were unrelated, or at least not coordinated. The consensus, however, was that disinformation is a form of cyberattack—part of a clear, coordinated attack on the United States for the purpose of destabilization and the creation of political chaos.

Expert opinion on these questions was mixed.

This final article in the series asks industry experts, with government experience, what the US can do about these threats. American political parties, such as the Democrats, are struggling with this challenge right now. If problems have solutions, what can we do about this one?

The Experts Weigh In: What Can the US Do about Russian “Active Measures”?

According to Richard Henderson, Head of Global Threat Intelligence at Lastline, “It really will take the full force and might of the US government’s intelligence apparatus to combat this, and I’m not sure they’re willing to come right out and help in this way. Should they ‘hack back’ and attempt to disrupt these state-led or state-sponsored groups from launching disinformation campaigns? That’s a level of escalation I’m not sure anyone wants to see.”

“What won’t work from the government is more subpoenaing social media executives to come before a House Committee and excoriating them for not doing enough to stop it.”- Richard Henderson, Head of Global Threat Intelligence at Lastline

Henderson then added, “What may be more effective is using much more human and Cold War-esque techniques: physically infiltrating or subverting these teams and using that information to work behind the scenes with social media companies to help stop campaigns as quickly as possible and provide actionable intel to shut these groups out of western social media.” Finally, he shared, “What won’t work from the government is more subpoenaing social media executives to come before a House Committee and excoriating them for not doing enough to stop it. The massive nature of these social networks means that it will be almost impossible for any response to be anything but reactive, and not proactive.”

“In a free society, you can’t limit freedom of speech, and it is precisely that freedom that active measures campaigns are using to their advantage.” – Adam Flatley, Vice President of Tailored Intelligence Prevailion

Adam Flatley, Vice President of Tailored Intelligence Prevailion, viewed the issue differently. He said, “In a free society, you can’t limit freedom of speech, and it is precisely that freedom that active measures campaigns are using to their advantage. You can’t defend people’s ears against what they hear, and continually educating the public will only go so far. The only real way to mitigate such an asymmetric threat would be to attack the group(s) that are engaging in active measures campaigns and make it so difficult and or expensive to undertake that it’s not worth it, you can eliminate the problem at the source.”

In contrast, Daniel Smith, Head of Security Research at Radware’s emergency response team, noted, “You will never be able to stop Information Warfare.  There is no silver bullet to this problem. The solution rests in user education. The problem is the same with phishing. We must train users to spot false information. We also must also educate users on how to verify content. This is more difficult than most people believe because it opens them up to becoming vulnerable.”

“You will never be able to stop Information Warfare.  There is no silver bullet to this problem. The solution rests in user education.” – Daniel Smith, Head of Security Research at Radware’s emergency response team

“Regulation is not always a bad thing and the line between news and entertainment and social media disinformation has been blurred,” declared Catherine A. Allen, CEO, Shared Assessments. “Like the old days of network news u def FCC regulation, social media and cable news networks need to be monitored to be sure they are providing balanced and truthful news to individuals or fined or at least have to carry a rating or statement that this news might be false or from a foreign bot, etc.”

Allen also felt the Trump Administration is “not only is not taking it seriously, it actually is helping the Russians…from denying money for security of election machines to saying they will share Cyberwarfare information with the Russians.” To address this problem, she suggested, “In addition to taking the necessary steps for systems and devices to be as secure as possible and for people to practice security hygiene (We have a long way to go here), additional education needs to be made to consumers about social manipulation and fake news. Pressure must be put on social media platforms like Facebook and Instagram and Twitter to have editorial policies and screening of posts and the source of the posts as well as influence of bots.”

“Pressure must be put on social media platforms like Facebook and Instagram and Twitter to have editorial policies and screening of posts and the source of the posts as well as influence of bots.” – Catherine A. Allen, CEO, Shared Assessments. 

William Tsing of Malwarebytes worried that “under our current legal framework, the US government can most likely do nothing about disinfo campaigns.” He then shared, “Cultural norms make many strategic decision makers loathe to address an issue that exists on private sector platforms, transiting private sector infrastructure.  Private industry, however, has a number of options available.  Many companies relegate counter fraud issues to non-technical legal staff and armies of poorly paid contractors.”

“Under our current legal framework, the US government can most likely do nothing about disinfo campaigns.” – William Tsing of Malwarebytes 

According to Tsing, “A modicum of technical expertise applied to these problems, however, often surfaces tools and infrastructure used by bad actors that can be shut down.  Light analysis to individual fraudulent accounts can often surface hundreds more.  Crowdsourcing bogus account spotting using predefined criteria can overcome issues of time and under-resourced technical staff.  Reporting tools for social platforms have enormous room for improvement.  Twitter, for example, has no clear reporting mechanism for use cases such as spotting fake accounts or reporting illegal activity of any sort.”

“Collaboration with the social media sector as well as private sector companies may be a good place to start.” – Nick Kael, CISSP, CCSK, CEH and Chief Technology Officer of Ericom Software

“Collaboration with the social media sector as well as private sector companies may be a good place to start,” said Nick Kael, CISSP, CCSK, CEH and Chief Technology Officer of Ericom Software. “On the social media side, working with companies to ensure they have internal programs and processes in place to quickly identify and shut down campaigns makes sense. And, working with these companies to help visitors understand that disinformation activity is real and occurring and urging them to take this into account as they are sourcing information, is another. On the security side, the government could work with security vendors to help get the message out to businesses about human behavior vulnerabilities that can be exploited in a phased campaign (e.g. disinformation engagement followed by socially engineered malware delivery) so that effective countermeasures can be put in place.”

“In collaboration with service providers, the US government is capable of initiating large-scale awareness campaigns while providing intuitive, intelligent, and effective content assessment tools.” – Haythem Hammour, Brinqa 

Brinqa’s Haythem Hammour commented, “Due to various technical and legal complications, it is quite impossible to shield millions of users across multiple social media platforms from the impact of psywars. However, in collaboration with service providers, the US government is capable of initiating large-scale awareness campaigns while providing intuitive, intelligent, and effective content assessment tools.”

Conclusion

As the expert insights reveal, Russian Active Measures are a thorny problem to address. Some of the potential solutions go against the grain of American society as well as American law. Freedom of speech and open platforms are hallmarks of American identity. Restricting them will not be easy or popular. Yet, solutions are required. The attacks seem to be on the verge of fomenting a true political crisis. The takeaway from all this appears to be that everyone needs to get involved and do their part to counter the attacks—so the United States can be stable and safe, while preserving the freedoms and rights it holds so dear.
Photo Credit: Sean Sweeney, UK Flickr via Compfight cc