At a glance.
- The opposition isn't ten feet tall.
- Pay no attention to that man behind the curtain.
- CISA's contribution to rumor control.
- Direct marketing comes to disinformation,
- OSINT for influence.
- Update: the alleged Hunter Biden emails.
- Pro-tip: keep your effects in the impact area, eh?
The opposition has problems with execution, too.
Late Friday Google published an update on what it’s observed of foreign intelligence services’ activities against US political campaigns. Over the summer Google’s Threat Analysis Group monitored attempts by Iran’s APT35 (also known as Charming Kitten) and China’s APT31 (or Judgment Panda) to compromise email accounts belonging to staffers at both the Trump and Biden presidential campaigns. The attacks were carried out by phishing. Google says it saw no signs that the attacks were successful.
The Threat Analysis Group also observed “spammy,” clumsily executed attempts at influence operations directed against US audiences by inauthentic networks run from China:
“This network has a presence across multiple platforms, and acts by primarily acquiring or hijacking existing accounts and posting spammy content” there’s that word, “spammy,” and Google adds that the content was in Mandarin. and featured the usual Internet geegaws of such clickbait as videos of animals, music, food, plants, sports, and games. Google went on to say that, “A small fraction of these spam channels will then post videos about current events. Such videos frequently feature clumsy translations and computer-generated voices. Researchers at Graphika and FireEye have detailed how this network behaves—including its shift from posting content in Mandarin about issues related to Hong Kong and China’s response to COVID-19, to including a small subset of content in English and Mandarin about current events in the U.S. (such as protests around racial justice, the wildfires on the West Coast, and the U.S. response to COVID-19).”
Most of these were carried out over YouTube, marred by clumsy machine translation and ineffectual execution. It’s worth remembering that the opposition isn’t always ten feet tall. That’s not a counsel of relaxed vigilance, just a realistic appraisal that the opposition has its problems, too.
Disinformation by simple denial.
Pay no attention to the man behind that curtain. TASS is authorized to disclose that accusations of misconduct in cyberspace leveled against the Russian government in general and the GRU in particular are not only baseless, but amount to "blatant Russophobia." Sez TASS, you Russophobes you, so take that.
CISA's rumor control page.
The US Cybersecurity and Infrastructure Security Agency (CISA) has established a rumor control page for 2020 election security. The page identifies nine myths and offers a debunking of each, covering topics such as voter registration databases, website outages and defacements, mail-in ballots, and other misinformation that’s making the rounds. It’s worth a look, and perhaps useful to send around to those friends and relatives who just can’t resist forwarding the latest conspiracy theory memes .
- “Rumor: Someone is claiming to know who I voted for.” CISA lists all the various safeguards in place that ensure the privacy of voters’ ballots. It also points out that some voter registration information generally isn’t private, like party affiliation and whether or not you voted at all. But these have nothing to do with how you actually voted. So if someone tells you they know you’re a registered Whig and then suggests that this is evidence they know you cast your ballot for Winfield Scott, it’s hooey--they’re putting you on.
- “Rumor: Someone possessing or posting voter registration data means voter registration databases have been hacked.” Nope. As we just said, a great deal of what’s in voter registration is a matter of public record, and having it is no more evidence of a successful hack than would be, say someone’s possession of a phone book.
- “Rumor: An online voter registration website experiences an outage and claims are made the election has been compromised.” As CISA points out, stuff happens: “Outages in online voter registration systems occur for a variety of reasons, including configuration errors, hardware issues, natural disasters, communications infrastructure issues, and distributed denial of service (DDoS) attacks.” An outage doesn’t necessarily mean the integrity of the vote has been compromised.
- “Rumor: If state or local jurisdiction information technology (IT) has been compromised, the election results cannot be trusted.” Again, nope--not necessarily so. Not every state and local IT system has the same kind of safeguards in place elections do.”Rumor: Videos, images or emails suggesting voter registration information is being manipulated means voters will not be able to vote.
- “Rumor: A malicious actor can easily defraud an election by printing and sending in extra mail-in ballots.” Tougher than it sounds, and state and local election offices have measures in place to prevent this. After all, they’ve been doing it for years with ordinary absentee ballots.
- “Rumor: If polling place lookup sites experience an outage, election infrastructure must have been compromised.” Again, stuff happens. An outage doesn't necessarily mean a compromise.
- “Rumor: If election night reporting sites experience an outage, vote counts will be lost or manipulated.” See above about outages. And besides, the results reported on TV news aren’t the official count in any case.
- “Rumor: If the election night reporting webpage is defaced or displays incorrect results, the integrity of the election is compromised.” And reporting webpages are no more official counts than are television news shows.
So keep calm and keep on, as rumor control sites traditionally say. ABC News quotes senior leaders at the Department of Homeland Security who counsel patience as well as vigilance.
Direct marketing comes to disinformation.
The US Director of National Intelligence yesterday said that threatening emails received by voters in several states were the work of Iranian threat actors. See the AP for a general account. Both KnowBe4 and Proofpoint have published discussions of the emails. The text looked much like that found in sextortion phishing, except that in this case the threat conveyed was that the attackers knew who the voters were, where they lived, and would visit them with violence if they did not vote for President Trump’s reelection.
We asked KnowBe4, when they sent us their analysis, if this didn’t amount to phishing without the phish hooks. "As for CyberWire’s question, they’re correct,” KnowBe4 told us. “At first glance, this does appear to be a phishing email, as it resembles classic 'sextortion' emails that are now very common. That said, there are no malicious links or attachments, and no demands for money. The email mainly demands votes and changes of voter registration.”
The senders claimed to represent the Proud Boys, a white supremacist fringe group, but that claim was quickly disavowed and debunked. The threat the emails conveyed is also no more credible than the threats conveyed by their sextortion models. The intent appears to have been disruptive. Whatever Tehran takes its interests to be, as Defense One notes, the reelection of President Trump is unlikely in the extreme to figure among them.
Proofpoint said, in response to a question we sent them, that they had no direct insight into the party affiliations of the people who received the emails. The emails themselves accused the recipients of being known Democrats, but that of course doesn’t mean that they were, or are. And various news outlets have said that people registered as Republicans, or independents, or Libertarians, or Bread and Roses members, or Prohibitionists, or whatever, may well also have received the emails. (Republicans and independents, anyway--we’re just speculating about the others.)
All this suggests poor aim in what amounts, in terms of tactics, techniques, and procedures, to a direct marketing campaign. The Washington Post quotes the Foreign Policy Research Institute’s Clint Watts, whose Twitter feed has an instructive discussion of why, on grounds of sheer argument to-best-explanation, the operation looks like one of Iran’s. One reason is stylistic: it’s ill-timed, for one thing, and Iran has not shown great sensitivity to timing. Another reason is the apparent motive: it runs against the interests of the Trump campaign, whatever the text of the email might say. If one were to ask, cui bono, the answer would decidedly not be the incumbent President. President Trump isn't exactly flavor of the month in Tehran. The overall effect is sloppy. Iranian influence operators aren't complete stumblebums, but they are, relatively speaking, tyros, especially when compared to the Russians. We can see that: marketing campaigns for, say, vacation time shares or Jazzercise franchising opportunities would all probably be better directed, to say nothing of the rifleshot accuracy-of-association Chrome or Amazon serve up to their users (often whether the users like it or not).
OSINT as applied to influence operations.
The Wall Street Journal reports that the Director of National Intelligence also said that not only Iran, but Russia too, had obtained voter registration data. Such data are in most US jurisdictions matters of public record, freely available, and authorities expect to see more use of such information in the final weeks before the election.
So of course, the claim in the emails that the attackers had penetrated election systems is so much hooey. KnowBe4 added, in their reply to our questions, "Moreover, it’s worth pointing out that the entire threat in this email turns on the claim to have penetrated election systems, giving whoever is behind these emails the ability to monitor users’ election behavior. That’s just not a credible claim, as it is simply not believable that a group that had managed to penetrate election system would be advertising the fact in such a public manner several weeks before the election. We would expect any group that penetrated those systems to be sophisticated enough to hold their tongues and bide their time — waiting for the opportunity to do real damage come Election Day."
The Washington Post characterizes the threat as long-expected, “targeting voter confidence rather than ballots and run on the cheap, probably with publicly available data.”
US designates more Chinese outlets as propaganda machines.
Yesterday the US State Department labeled six new Beijing media channels “foreign missions,” according to the Hill. Economic Daily, Xinmin Evening News, Yicai Global, Social Sciences in China Press, Beijing Review, and Jiefang Daily are accused of distributing Chinese propaganda, and must inform State about in-country staff and operations. Beijing answered the last round of designations, which the CyberWire covered earlier, by revoking accreditations for three US publications. State spokesperson Morgan Ortagus said the goal is to “ensure the American people know whether their news is coming from the free press or from a malign foreign government. Transparency isn’t threatening to those who value truth.” In the background of course are disputes over trade, Covid-19, Xinjiang, Taiwan, Tibet, Hong Kong, and election interference.
"Smoking [Hunter's] gun" updates.
Last week's reports by the New York Post that alleged “smoking gun” emails were found on a computer said to belong to Hunter Biden, son of former US vice president and present Democratic presidential candidate Joseph Biden, remain as controversial as they were when first released. Here's the range of opinion, from left to right:
- They're bogus, fabrications in a Russian disinformation campaign. (See POLITICO, and the open letter it links from former intelligence officers, as well as, in a more muted form, the Washington Post.)
- They're made-up, for-profit junk, peddled by a bunch of Ukrainian freelance grifters and uncritically swallowed by Rudy Guiliani, in a will-to-believe mood. (See Time.)
- They're a domestic political dirty trick. (POLITICO, this week.)
- We don't know. (See Reason for some suggestions on how confirmation one way or another might be achieved.)
- We don't know, but it doesn't seem to be a Russian operation, at least not in its entirety. (See the Washington Post's report on the position taken by the Director of National Intelligence and, by implication, the FBI,)
- They're not genuine, but they accurately capture an underlying reality. Roughly speaking this would be to view them as then-CBS anchor Dan Rather came briefly to regard the forged letter about President George W. Bush's Air National Guard Service: "fake but accurate." This view has been suggested in numerous asides by people who remember, uneasily, the appearance of impropriety President Obama's State Department remarked in 2015. (See the Wall Street Journal.)
- They're the goods. Just wait until they're authenticated to your satisfaction. (See the New York Post.)
Twitter's handling of the Post story, amounting to a ban, hasn't drawn much admiration. Twitter itself changed its approach, which suggests that the platform hasn't yet finished grappling with developing standards that can be applied in a relatively impartial way. There are two questions that any counter-disinformation policy must address:
- The epistemic question of distinguishing truth from lies, and both from mistakes, delusions, and simple hogwash. The difficulty of doing this is why content moderation remains so labor intensive and so frequently dissatisfying. No one has come up with an automated epistemological engine, and no one is likely to, either. This problem is related to, but distinct from, the problem of recognizing and suppressing inauthenticity, which is a much more tractable challenge.
- The persuasive question of dissuading people from believing lies, mistakes, delusions, and simple hogwash. This is harder to do than one might expect. See MIT's Technology Review for an account of how Twitter's attempt to control the story proved backward-striking, and actually increased its dissemination. The field of social media still awaits its Aristotle, or at least its Marshall McLuhan, but the Wall Street Journal reports a growing sense that social media have a strong affinity for falsehood, and a deep tendency to amplify it.
Training notes: rumor ricochet fans, and Surface Danger Area Hogwash.
Whatever you may have heard from the Halifax Rifles, no wolves have been released in Nova Scotia. It's all a misunderstanding, apparently deriving from a misfiring "live-fire" information operations training exercise.
Here’s what happened, according to the Ottawa Citizen. Nova Scotia residents received a letter--snail mail--that looked as if it were from the Province’s Department of Lands and Forestry (Wildlife Division). The letter apprised them of progress in a grey wolf reintroduction program: wolves had been released in the neighborhood and were now on the prowl, as wolves are wont to prowl, around the province's Annapolis Valley. And then people heard wolves howling.
But no, no wolves. What happened was this. The aforementioned Halifax Rifles, a reserve regiment that traces its lineage back to the Empire loyalist side of the War of 1812, was conducting an information operations exercise. They’d forged the letter from the Department of Lands and Forestry and then used a loudspeaker to broadcast what Count Dracula would have called “the sweet music of the children of the night.” So, hey, success--people were spooked: lock up the house pets and Katie bar the door.
A Department of National Defence spokesman, Dan Le Bouthillier said it was a mistake. The Halifax Rifles were conducting an information operations training exercise, and the letter wasn’t meant to actually be mailed to anyone. And, he added (we paraphrase) who the heck knows where that loudspeaker came from. The whole thing was a big snafu, and the embarrassed Department is investigating how the weekend warriors’ enthusiasm got the better of them.
Some people on Twitter called the whole thing a propaganda “live fire” exercise. Here’s the point--when you’re conducting influence exercises or other cybersecurity training, are you taking steps to confine the effects to the training area?