At a glance.
- Domestic influence operations flagged by Twitter.
- Zoom's relationship with Beijing draws criticism.
- Secondary Infektion: plenty of opsec, not so much efficacy.
- Al Qaeda calls for "e-jihad."
- Redacted WikiLeaks Task Force report published.
- Content moderation, freedom of expression, legal immunities, and countermessaging.
Domestic influence operations flagged by Twitter.
Twitter has identified a large number of state-run accounts pushing disinformation. The largest network was Chinese-controlled: 23,750 "core accounts" that were highly active in distributing Beijing's line on various issues, with special attention given to matters affecting Hong Kong. A large number of "amplifier accounts," about 150,000, repeated the core account's traffic. The content was for the most part in Chinese and evidently addressed to a largely domestic audience. Twitter says that despite the accounts' high level of activity, they enjoyed relatively few followers and had achieved little traction.
Twitter also identified 1152 Russian accounts associated with the Current Policy state-run news site; these were engaged in distributing messages favoring the Russia United Party in an influence campaign directed toward domestic audiences.
Also interested in domestic influence were 7,340 accounts in Turkey whose line favored President Erdogan and the AK Party.
Zoom's relationship with Beijing draws criticism.
Zoom, having (as the Telegraph and other outlets report) locked out account holders after they held online discussions commemorating the thirty-first anniversary of the Tiananmen Square massacre, is drawing criticism for aligning its services with Chinese policy. The Wall Street Journal notes that the activist group affected, San Francisco-based Humanitarian China, had its access quietly restored after the suspension was reported by Axios. Zoom has expressed its regrets and said it “will not allow requests from the Chinese government to impact anyone outside of mainland China.” But many critics remain unmollified, asking with Security Boulevard, "Is Zoom the next Huawei?"
The criticism has affected Zoom. At midweek the service decided to reverse an earlier decision to provide end-to-end encryption only to premium accounts. Zoom will henceforth offer end-to-end encryption to all users of its remote conferencing service.
Secondary Infektion: plenty of opsec, not so much efficacy.
Graphika has published a new study of Secondary Infektion, the Russian disinformation operation. The report concludes that Secondary Infektion has been in continuous operation since 2014, that it's run by a single unidentified controlling agency, and that it's been relatively quiet, at least compared to the noisier operations of the GRU and the troll-farming Internet Research Agency. Graphika gives the operation high marks for security, which can be attributed in part to Secondary Infektion's tendency to prefer short-lived, often single-post, blogs ("single-use burners") to social media, where coordinated inauthenticity would be easier to spot.
But it's not clear how effective the operation has been. Its posts have a record of low engagement rates, they made unusually heavy use of forged documents, and their linguistic capabilities have been uneven, to say the least. The French, German, and English they use are poor, and marked by the usual stigmata of a non-native speaker with roots in a Slavic language: poor grasp of the idiomatic use of articles, uncertainty about case (especially the genitive), eccentric word order, and (in French and German) trouble handling grammatical gender. Think of the diction one finds in an easily recognized phishing attempt. With respect to English at least, the Kremlin has linguists who could do much better: Secondary Infektion's stuff reads like bad North Korean agitprop. It’s not even the playfully mangled language the old Shadow Brokers used to use, with a wink and a nudge. The Brokers always achieved a wacky kind of lyricism that any fair-minded person would appreciate. This stuff is just poorly executed.
Here’s an example, an attack against the Atlantic Council’s Digital Forensics Research Lab, which outed Secondary Infektion last year: “Yes, the ‘forensic experts’ were wrong about almost everything, but they thought the existence and spread of a different opinion from their employers’ was a serious threat, and Devil take it, that tickles my pride.” Devil take it indeed. And, if we may say so, the Atlantic Council’s DFRLab should wear that one as a badge of honor.
In any case, Graphika finds nine themes that have dominated Secondary Infektion’s output since its inception:
- “Ukraine as a failed or unreliable state”
- “US and NATO aggression or interference in other countries”
- “European divisions and weakness”
- “Elections, especially in the United States, United Kingdom, and France”
- “Migration and Islam”
- “Russia’s doping scandals in various sports competitions”
- “Turkey as an aggressive, destabilizing power”
- “Defending Russia and its government”
- “Insulting Kremlin critics, including Aleksei Navalny and Angela Merkel”
These are often supported with implausible forgeries. Many of these topics suggest that Secondary Infektion’s work was if not directed toward, at least imaginatively dominated by a Russian domestic audience.
Secondary Infektion is not, as several headlines have suggested, a newly discovered operation, as Graphika explains. Facebook flagged the operation (although not under the "Secondary Infektion" name) as "coordinated inauthentic behavior" in May 2019, and the Atlantic Council described and named it last June. Secondary Infektion began by placing stories in obscurer corners of the Internet’s hinterlands. It then amplified these through Facebook accounts and, ultimately, in the state media outlet RT. The DFRL doesn’t have access to Facebook’s backend data, but they attribute Secondary Infektion to Russian actors on circumstantial “contextual and linguistic” grounds. Some of the content was, however, obviously faked, and would arouse suspicion even apart from language and context. One of the stories RT carried with a straight face in its German-language edition late last year showed an obviously bogus tweet attributed to US Senator Marco Rubio, Republican of Florida, warning that British intelligence intended to hack American elections (CNN). RT noted in a follow-up that Senator Rubio denied making the posts, but didn’t retract its story.
So what’s new in Graphika’s report? It’s the extensive catalogue of Secondary Infektion’s works. And reading through them teaches, again, the lesson that opsec by itself isn’t enough for efficacy. We may not know which sub-directorate in which Russian service ran these messages, but how much does that really matter, in the long run? Again, Moscow has groups like Fancy Bear and the Internet Research Agency who’ve shown they can do much better. Graphika does have one quietly interesting suggestion. Looking at the very low engagement rates Secondary Infektion’s output produced, they suggest that maybe the operators were paid for output, not reach. So as a famous Russian thought-leader once remarked, quantity has a quality all its own, and we’d add that in this case the quality was pretty bad.
Al Qaeda calls for "e-jihad."
Al Qaeda is back online, Homeland Security Today reports, in the form of its English-language One Ummah magazine, seeking to inspire "e-jihad," the proverbial cyber 9/11. Its treatment of the matter seems aspirational, and offers little that a wannabe online fighter could really get his teeth...or her teeth? not really plausible...get his teeth into. Perhaps that’s unfair to the pleonastically named One Ummah. After all, you don’t subscribe to Soldier of Fortune if you’re interested in learning to code.
More seriously, it’s striking how parasitic a tone al Quaeda takes. There’s great deal about bringing down “the West” with the tools of the West’s own creation, like smart devices and the Internet itself. And there’s plenty of bad comment about rival jihadists, especially ISIS, or the “goons of Baghdadi,” as One Ummah calls them, which suggests that things haven’t changed much with respect to cyber-jihad. And that the Ummah may be other than one.
Redacted WikiLeaks Task Force report published.
The Washington Post has shared the full (albeit understandably redacted) text of the CIA's WikiLeaks Task Force report. With respect to Langley's mission systems, at least, the report bluntly states, "CIA has moved too slowly to put in place the safeguards that we knew were necessary given successive breaches to other US Government agencies." It adds later, "We have been slow—due to resource choices and cultural resistance—to extend state-of-the-art audit and user activity monitoring technology to mission systems not connected to the main enterprise network." And it assesses that WikiLeaks should be assumed to have everything the affected CIA unit kept in Stash or Confluence.
Chris Roberts, Hacker in Residence at Semperis, offered some perspective on the whole Vault 7 incident:
"Let's start with the caveat that NOTHING is infallible— nothing will protect you, the only things you can do is to reduce the risks, reduce the exposure, AND monitor/manage the heck out of what's left. Saying that, there are some basic things AND some basic attack vectors that we all know understand and recognize in our industry, and when those basics are not followed, or red tape gets in the way of sensible decisions, that's when mistakes happen, and adversaries or bad actors/internal threats can take advantage of a situation. So, if authentication and Active Directory were well monitored, managed, and controlled, you'd certainly slow down someone trying to get to the data. You put correct access controls, oversight, and reporting on that sensitive data. You've got another layer for someone to deliberately break through (and you NOT to notice the alerts) and then exfiltration you can only walk out with something IF someone lets you. So, working to close those holes down too, again, all basic, but if you're not focusing on them you can pretty much drive the dump truck up to the datacenter and walk off with everything."
The report's security implications are of course significant, but it's worth recalling that WikiLeaks functioned most effectively as an influence operation.
Content moderation, freedom of expression, legal immunities, and countermessaging.
Part of the tension between free expression and control of illicit content may be seen in the US Communications Decency Act. The Wall Street Journal offers some historical context for the passage and effects of what the Journal calls "the defining law of the Internet age." It's likely to see some revision.
The US Justice Department yesterday issued its review of Section 230 of the Communications Decency Act. Section 230 has generally served to shield Internet platforms from various forms of civil and criminal liability. The Department recommends four categories of reform that it says would bring the balance of various interests into line with the ways the Internet has evolved since the law was passed in 1996.
The revisions would “incentivize online platforms to address illicit content,” denying Section 230 protection to genuine bad actors, carving out exceptions for terrorism, child abuse, and cyber-stalking, and for “case-specific carve-outs” that would remove protection from platforms that knew, in a specific case, that third-party content was illicit.
The proposed revision would also clarify Federal civil enforcement capabilities, promote competition, and “promoting open discourse and greater transparency” by replacing “vague terminology” and defining “good faith.” As the Department's announcement puts it:
"The Department of Justice has concluded that the time is ripe to realign the scope of Section 230 with the realities of the modern internet. Reform is important now more than ever. Every year, more citizens—including young children—are relying on the internet for everyday activities, while online criminal activity continues to grow. We must ensure that the internet is both an open and safe space for our society. Based on engagement with experts, industry, thought-leaders, lawmakers, and the public, the Department has identified a set of concrete reform proposals to provide stronger incentives for online platforms to address illicit material on their services, while continuing to foster innovation and free speech."
In a separate story, Axios reports that Senator Josh Hawley (Republican of Missouri) has introduced a bill, the Limiting Section 230 Immunity to Good Samaritans Act, that would make Section 230 protections conditional upon a company's adopting terms of service that pledge to operate in good faith and that detail their content moderation policies. Gizmodo thinks the bill won't "make Silicon Valley sweat" because it simply requires companies to establish and adhere to standards.
In terms of US messaging and countermessaging, this week has seen large changes in US Government supported media outlets. The New York Times reports that the new director of the United States Agency for Global Media yesterday dismissed the directors of Radio Free Asia, Radio Free Europe/Radio Liberty, Middle East Broadcasting Networks, the Office of Cuba Broadcasting, and the Open Technology Fund. The Director and Deputy Director of the Voice of America resigned earlier this week. These were all relatively respected and effective organizations; how they'll fare in the future remains an open question.