Podcasts
Hacking Humans
Ep 150
Hacking Humans 6.3.21
Ep 150 | 6.3.21

The fight in the dog.

Show Notes
Transcript

Jan Kallberg: This is like having Goebbels in the barracks through the internet, TikTok and so forth.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We got some good stories to share this week. And later in the show, Jan Kallberg and Colonel Steven Hamilton of the Army Cyber Institute at West Point. We're going to be discussing cognitive force protection. 

Dave Bittner: All right, Joe, so before we jump into our stories this week, we've got some follow-up this week you want to share with us. What do we have here? 

Joe Carrigan: We have an email from Obata (ph), who writes, (reading) hello, Dave and Joe - big fan here from the Middle East. I recently discovered your podcast, and please allow me to thank you for your great work and the super-informative and educational content. Well, thank you. 

Dave Bittner: You're welcome. 

Joe Carrigan: (Reading) I recently bought a couple of YubiKeys to increase my security in the cyberspace and purchased a password manager. I immediately started enabling two-factor authentication on all accounts through the physical keys where applicable and also through the authenticator app, which is an app you can usually get for free. 

Dave Bittner: Yep. 

Joe Carrigan: (Reading) I did this for almost all of my accounts. However, when opting in for two-factor authentication on my Apple account, I was amazed to discover that Apple only offers 2FA via SMS or a mobile number. I always try to avoid two-factor via SMS for SIM swap reasons, which is a good reason to avoid it. 

Dave Bittner: Yeah. 

Joe Carrigan: There are other reasons as well. Also, I don't think it's ideal, especially in countries where inactive phone numbers might be active again for a different user, which is, I think, everywhere. 

Dave Bittner: Sure. 

Joe Carrigan: It happens here in the U.S. (Reading) I was wondering what your take is on this and why you think Apple, one of the biggest security advocates, only allows multifactor authentication via SMS. Keep up the good work, and thank you. 

Dave Bittner: OK. 

Joe Carrigan: So I'm not an Apple user, Dave. 

Dave Bittner: Well, I am. 

Joe Carrigan: Yes, you are. 

Dave Bittner: So let me just say one of the things that I often say as a longtime Apple user. Apple giveth, and Apple taketh away (laughter). So while there are many, many good things about being in the Apple ecosystem and, overall, I enjoy it very much, there are also some very frustrating things about being in the Apple ecosystem, one of which is their lack of transparency. They share with you what they want to share with you, and that's it. There are no user forums where there are active Apple employees who you can strike up a conversation with and sort of ask, why are you doing this, or, what are you doing, or, God forbid, what are your plans? 

Joe Carrigan: Right. 

(LAUGHTER) 

Dave Bittner: So - but specifically to Obata's point, I mean, I think he is mostly right in that Apple does not so far allow YubiKeys. 

Joe Carrigan: Right. 

Dave Bittner: But Apple does have additional multifactor authentication options beyond just an SMS. Specifically, again, Apple very much wanting you to be part of their ecosystem, they allow you to authenticate via other trusted devices. 

Joe Carrigan: Right. 

Dave Bittner: In other words, if I'm sitting here at my Mac and I want to authorize something on my iPhone, I can opt for Apple to send me a code directly to my Mac that I can then use to authenticate my iPhone. 

Joe Carrigan: Right. And Google does something similar with Android. I logged into the Chrome browser recently, and it said, check your phone. And there was a question on my phone. Do you want to authorize this access to your account from Chrome? 

Dave Bittner: Right. 

Joe Carrigan: That's not an SMS, though. That's a different protocol. 

Dave Bittner: Correct. And yeah. So it's baked into the operating systems... 

Joe Carrigan: Right. 

Dave Bittner: ...To do this. And on planet Apple, it is on both the iOS and Mac OS, and they work together. And when it works, it works quite well. It's kind of Apple's thing, you know (laughter)? 

Joe Carrigan: Right. You can't fault Apple for making something that works. It usually just works. 

Dave Bittner: Right. Right. 

Joe Carrigan: And Apple's very good at that and very good at user experience management. 

Dave Bittner: Yeah. But I think there is also the point that, like, how does something become a trusted device? Well, usually that involves sending an SMS code. 

Joe Carrigan: Right. 

Dave Bittner: So at some point (laughter) in the Apple ecosystem, you have to - if you want to establish something as being a trusted device, there's an SMS involved. 

Joe Carrigan: Right. 

Dave Bittner: So that's just the way it is. I agree. It would be great if Apple allowed you to use things like YubiKeys. Apple tends to not embrace hardware made by other people. 

Joe Carrigan: Right. 

Dave Bittner: So perhaps someday we will see an Apple version of a YubiKey, and off we'll go. 

Joe Carrigan: There is a Google version called the Titan... 

Dave Bittner: Yep. 

Joe Carrigan: ...That runs on the universal two-factor. So maybe Apple could embrace that... 

Dave Bittner: Perhaps. 

Joe Carrigan: ...And build an Apple device that runs on universal two-factor. 

Dave Bittner: Yeah. I suspect - you know, from Apple's point of view, the hardware that they are counting on is other existing Apple devices. And, you know, it could be an Apple Watch, could be your iPhone, could be your iPad, could be your Mac - so, again, ecosystem kind of thing. So I think our listener is mostly correct. It is frustrating that you can't use a hardware key directly with any of the Apple OSes as far as I know. I'm getting my information here from Apple's support page on two-factor authentication. But I don't see that changing because I suspect from Apple's point of view, they aren't just relying on SMS because they do have certain types of two-factor baked into the OS. And it seems as though they feel like that's, for the moment, good enough. 

Dave Bittner: Thanks to Obata for sending that in. It's an excellent question. And, of course, we would love to hear from you. If you have any questions, you can email us. It's hackinghumans@thecyberwire.com. All right. Joe, well, why don't we jump into our stories for this week. And coincidentally... 

Joe Carrigan: Right. 

(LAUGHTER) 

Dave Bittner: My story - I'll start things off. And my story, this comes from the folks over at CyberScoop. This is a story written by Tim Starks. And it's titled "Google To Make Multi-Factor Authentication Its Default Mode." 

Joe Carrigan: All right. 

Dave Bittner: (Laughter) This is good news. 

Joe Carrigan: Thank you, Google. 

Dave Bittner: This is good news. Yeah. So about a month or so ago when it was World Password Day, Google announced that they're going to, basically, make it default that when you enroll with a Google account, they're going to nudge you towards having multifactor authentication. And, you know, we've seen multiple studies from Google, from Microsoft that say that if you've got multifactor turned on, your account is 99% less likely to be compromised. 

Joe Carrigan: Yes. 

Dave Bittner: So I think this is really good news. And I think it also points to the fact that a big part of the resistance to multifactor has been that it adds friction. 

Joe Carrigan: Right. 

Dave Bittner: It slows you down. But I really think that's becoming more and more of a non-issue these days. 

Joe Carrigan: I would agree. 

Dave Bittner: Yeah? 

Joe Carrigan: Yeah. I think it's becoming more of the accepted way of doing things. Maybe we as users are becoming just used to it... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Because enough people are asking us to do it. And I don't really think there's a big difference in use case whether or not I get my multifactor authentication from an SMS message or a authenticator application or a hardware solution, like a YubiKey. 

Dave Bittner: Right. 

Joe Carrigan: It's all, essentially, the same level of work. I would actually maybe even argue that the hardware key is a little bit less because all you have to do is push a button. 

Dave Bittner: So, you know, I really think, hopefully, this will lead to other organizations, going back to our earlier story... 

Joe Carrigan: Right. 

Dave Bittner: ...Perhaps, even Apple (laughter)... 

Joe Carrigan: Maybe. 

Dave Bittner: ...Making it the default. It seems as though things are headed that way. And... 

Joe Carrigan: Yeah. I think Microsoft's going to have to do this soon for their Microsoft 365 product. 

Dave Bittner: Yeah. It seems to be the way things are going. I guess, hats off to Google for leading the way when it comes to this thing. I was going to say taking the bullet (laughter)... 

Joe Carrigan: Right. 

Dave Bittner: ...Because some people are going to criticize them, again, because of friction. And it's not required. I guess the point here is that if you don't want two-factor, you'll be able to opt out. 

Joe Carrigan: Right. 

Dave Bittner: But who's going to do that, you know? They - (laughter). 

Joe Carrigan: Right. 

Dave Bittner: They want you to do the right thing. They want you to be safe. 

Joe Carrigan: Users have a history of not opting out of things (laughter). 

Dave Bittner: Right. Right. Absolutely. So again, this is over on CyberScoop, written by Tim Starks. We'll have a link to that in the show notes. That is my story this week. Joe, what do you have for us. 

Joe Carrigan: Dave, my story comes from nbcchicago.com. It's a news channel out there, Channel 5, a local affiliate, NBC affiliate. And they have a story of a couple from the area that they just address as K and J... 

Dave Bittner: OK. 

Joe Carrigan: ...Because they don't want their names being out there. They had deposited retirement savings with Fidelity. 

Dave Bittner: OK. 

Joe Carrigan: And that's - you know, for our international listeners, there's a large - it's a large financial firm here in the U.S. It may be international. I don't know. 

Dave Bittner: Yeah. 

Joe Carrigan: In June of 2020, someone managed to get into their account and change their contact information, and then proceeded to make two withdrawals in the amount of $20,000 each. 

Dave Bittner: Wow. 

Joe Carrigan: Right? Fidelity flagged the transactions as suspicious and froze their account and sent a letter via the mail saying, hey; we've noticed some fraudulent activity on your account. Now, I think it's interesting. Fidelity maintains that they tried to contact K and J on this. But they sent a letter. And I'd like to know, what address did they send the letter to? 

Dave Bittner: Right. Right. 

Joe Carrigan: Right? Did they send the letter to the - to where K and J live? Or did they send the letter to the new location that was entered in the contact information? 

Dave Bittner: Sure. Yeah. 

Joe Carrigan: That's not really addressed in this story. But I would like to know that. That would be key to where I come down on this story. OK. The couple did notice a dip in their balances. But they said we just figured it was pandemic craziness. Now, you remember... 

Dave Bittner: Wow (laughter). First of all, I'd like to know how much they have in their retirement account that $40,000 could be written off as a fluctuation (laughter). 

Joe Carrigan: It doesn't need to be a lot. If you remember, in March of 2020, if you were watching your account balances, it was difficult to watch. 

Dave Bittner: Yeah. OK. Fair enough. Fair enough. 

Joe Carrigan: (Laughter) Right? 

Dave Bittner: Yep. Yep. 

Joe Carrigan: So fortunately, things have recovered. But they only became aware of the theft when they actually started getting statements from Chase, another financial institution... 

Dave Bittner: Right. 

Joe Carrigan: ...That they had an account with a zero balance. And they don't remember opening this account. But somebody had gone in and, in J's name, opened an account at Chase, broke into the account at Fidelity, wired the money from Fidelity to Chase and then out of the account from Chase to wherever they were going to take it from. When they did notify Fidelity of the fraud, it was six months later. And Fidelity essentially said, well, tough. Our policy is you have to notify us within 30 days of a fraudulent charge or fraudulent activity. 

Dave Bittner: OK. 

Joe Carrigan: And they said, you're not getting your money back. Since the investigation has begun by this news organization, Fidelity has decided, OK, we'll give you your money back. 

Dave Bittner: (Laughter) Support your local news, folks. 

Joe Carrigan: Right. Exactly. 

Dave Bittner: Support your local news. 

(LAUGHTER) 

Joe Carrigan: These K and J have gotten their money back. We don't know how the bad guys got access to the Fidelity account. But it could be through phishing. It could be through credential stuffing. It could be social engineering by calling Fidelity and pretending to be the person. But they had enough information on the victims that they were able to open another bank account in their name. So they had a lot of information about these people. 

Dave Bittner: OK. 

Joe Carrigan: They probably even had copies of documents or maybe even fake documents.... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Of these things. There are a few things the victims could've done here that would've made this impossible. No. 1, they could have practiced better password hygiene, right... 

Dave Bittner: Yep. 

Joe Carrigan: ...Not putting a password on that let's somebody guess it. Of course, if they - if these people called into Fidelity - and we don't know how they got into the account. That's also not covered in the story. 

Dave Bittner: Right. 

Joe Carrigan: I'd like to know that. They could use multifactor authentication. Always use multifactor authentication. If you're going to do one thing - multifactor authentication. 

Dave Bittner: (Laughter) Right. Right. 

Joe Carrigan: And they could've been more diligent and paid more attention to their statements. There seems to be, in the retirement investment community, this - invest it and forget about it. And we tell each other that so that we don't go into our retirement funds and view it as an asset before retirement, right? So, you know, I remember growing up, my dad would say, just put the money in your retirement account and forget about it. It's gone. Don't think about it. 

Dave Bittner: Right, right. (laughter). Let interest do its magic. 

Joe Carrigan: Right. 

Dave Bittner: Yeah (laughter). 

Joe Carrigan: Yeah, exactly. And that's great advice, but that doesn't mean you shouldn't pay attention to it. 

Dave Bittner: Yeah. 

Joe Carrigan: You should log into these accounts at least monthly, and just make sure - you know, look at your transactions. If you have stock accounts, look at your dividends. Maybe you want different investments. You should be managing this money on a regular basis. This is what you're going to retire on, for the most part. And one of the biggest reasons is, as this thing grows, it may very well become your biggest investment. A lot of times we hear your biggest investment is your house, but if you have been saving for retirement since your 20s and now you're in your 50s or 60s, your retirement is probably your biggest investment. 

Dave Bittner: Sure. 

Joe Carrigan: It deserves your undivided attention, right? (Laughter). 

Dave Bittner: Yeah. 

Joe Carrigan: I'm not blaming the victims here. These are just things they could have done better. I also have some things that Fidelity could have done better as well. No. 1 - they could require that their clients use multifactor authentication of some kind. 

Dave Bittner: Yeah. 

Joe Carrigan: That could be a requirement. And I would like to see financial institutions enact that requirement. 

Dave Bittner: Yeah. 

Joe Carrigan: Some way. 

Dave Bittner: Why not? 

Joe Carrigan: Right. 

Dave Bittner: Right? (Laughter) If Google can do it, Chase can do it. 

Joe Carrigan: Right. 

Dave Bittner: Fidelity can do it. 

Joe Carrigan: When you notice fraudulent activity, do more than just send a letter, you know? 

Dave Bittner: Right, right (laughter). 

Joe Carrigan: Don't just say, well, we sent you a letter. 

Dave Bittner: Yeah. What's the rush? 

Joe Carrigan: Right. 

Dave Bittner: I mean, you know (laughter). 

Joe Carrigan: Finally, when someone changes contact information on an account, have a better process than just accepting it, right? I'm not sure what that looks like. You know, I'd have to think about this. But keep the old information is No. 1. If someone changes the phone number, call the old phone number, and see who answers, and ask if it's the account holder. 

Dave Bittner: Yeah. 

Joe Carrigan: If it's the account holder, say somebody has changed the phone number on your account; are you OK with that? And if they say no, then you stop everything, right? 

Dave Bittner: I would also say that if someone changes their address, you should send a letter to both the old address and the new address... 

Joe Carrigan: Right. 

Dave Bittner: ...And say, we've had an address change; you know, if this is wrong, please let us know. 

Joe Carrigan: Yeah. 

Dave Bittner: You know, because, again, why not? 

Joe Carrigan: Yep. It's cheap and easy to do. If you're going to say that you noticed fraudulent activity, don't just send a letter via regular mail. Maybe that is something you send registered mail... 

Dave Bittner: Well, yeah. 

Joe Carrigan: ...With return receipt requested. 

Dave Bittner: Right. I mean, and you think that's also in Fidelity's interest, so that they have a receipt that they actually... 

Joe Carrigan: Were proactive about. 

Dave Bittner: ...That they did this transaction. 

Joe Carrigan: Yeah. 

Dave Bittner: Right. We sent you a letter, and here's when we sent it. So yeah. 

Joe Carrigan: Right. Costs you $3 bucks. 

Dave Bittner: Yeah. 

Joe Carrigan: Anyway, the story has a good ending. I'm glad that these people got their money back. Enable multifactor authentication on every account that you can. And do that now. It really, really, really protects you against these kind of attacks. 

Dave Bittner: Yeah, and I would also go as far to say, if your bank, if your - if whoever you have your retirement account with, if they don't have the capability for you to have multifactor on these accounts... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Maybe it's time to start looking around. At the very least, make some noise and say, how can you tell me that this is secure if you don't have these security basics in place? 

Joe Carrigan: Correct. 

Dave Bittner: All right. Well, interesting stories this week. Of course, we will have links to them in the show notes if you want to dig into the details. Joe, it is time to move on to our Catch of the Day. 

(SOUNDBITE OF REELING IN FISHING LINE) 

Joe Carrigan: Our Catch of the Day comes from a listener named Dole (ph). And Dole says, finally, I can quit my life of toil. 

Dave Bittner: (Laughter). 

Joe Carrigan: Dave, why don't you read this email? 

Dave Bittner: All right. It says, (reading) Dear Sir, my name is Miss Eleanor Ward (ph), a wealth manager and head of global payments with Lloyd's Private Banking (ph) in United Kingdom. I'm contacting you regarding the estate of a deceased client with a similar last name and an investment placed under our bank's management worth GBP 6.2 million British pound sterling. 

Joe Carrigan: (Laughter). 

Dave Bittner: (Reading) He left no next of kin, and I contact you independently, as no one is informed of this communication. What I propose is that since I have exclusive access to his file, you will be made the beneficiary of these funds after the legalization process is diligently carried out. I hold the key to these funds, and from my years of experience as a bank, we see so much cash being reassigned daily, so nobody's getting hurt. Kindly express your interest by writing back to me. Whatever your response is will be taken in good faith. Regards, Eleanor Ward. 

Joe Carrigan: So many little red flags here. 

Dave Bittner: (Laughter). 

Joe Carrigan: First off, it's GBP 6.2 million British pound sterling, which is what GBP means, right? Great British pounds? 

Dave Bittner: Yeah. It ain't real money, Joe (laughter). 

Joe Carrigan: Yeah. Right. A couple of misspellings, a big capitalization error in the middle of, I hold the key... 

Dave Bittner: Right (laughter). 

Joe Carrigan: ...Of the funds. Pretty good catch there, Dole. Thanks. 

Dave Bittner: Yeah. Yeah, that's a good one. All right. Well, we do appreciate our listeners sending that in. We would love to hear from you. If you have a Catch of the Day for us, you can send it to us. Send it to hackinghumans@thecyberwire.com. 

Dave Bittner: All right, Joe. I recently had the pleasure of speaking with Jan Kallberg and Colonel Stephen Hamilton. They are from the Army Cyber Institute at West Point. And our conversation centered on the notion of cognitive force protection. Here's my conversation with Jan Kallberg and Colonel Stephen Hamilton. 

Stephen Hamilton: We always think, in the army, of trying to protect our soldiers, protect the force. And it could be everything from, if you don't get your dental checkup, you go to Category 4, and you can't deploy. So we've got to make sure that you're - you know, you're not going to need a root canal when you're deployed. So everything from that to going outside the gate and going to maybe seedy places that you know are around some of the military posts. You know, sometimes they make those off limits. So we do these various things to protect our force. And we also run force protection drills, you know, active shooter drills, those kinds of things. 

Stephen Hamilton: And really what we kind of identified is, it seemed like there's really not anyone focusing on what happens when the soldier is protected. He's on post. But then he goes back to his barracks, gets on TikTok and starts being influenced by the content that they're receiving. So that was kind of the genesis of it. 

Stephen Hamilton: But what we decided is that we needed to term it something that would spark the interest of commanders in the vernacular of what they're used to, which is force protection. So that's where we came up with cognitive force protection as being, this is still a protection issue, it's just on a different level. It's not physical like you're normally used to. 

Jan Kallberg: Historically, the will to fight has determined outcomes in wars. One example is, for instance, the Finnish-Soviet Winter War of '39-'40, where the Finnish will to fight made them overcome climate, lack of equipment, and really did a really great fight against the Soviet onslaught pure on their mental strength. It matters because the Germans rarely watched how the Soviets didn't do well, and they did the attack on Soviet Union in '41. Stunning to them, the Soviets had the real will to fight. That was before the invasion and so forth. In '41, '42, against all odds, did a formidable job to keep this up. The will to fight we see in Guadalcanal, we see it in the Pacific campaign, we see it for the Second World War, Korea and so forth. We maybe have lost that connection to it. But I think our adversaries really understand, especially the Russians, who see this way of breaking down our will to fight, this cognitive attack, as a preparation of the battlefield. 

Dave Bittner: Yeah. It reminds me of that old saying - you know, it's not the size of the dog in the fight, it's the size of the fight in the dog. And I suppose what this means is, you can't just look at the number of tanks you have, the number of troops you have, the number of helicopters you have, that, as you say, this will to fight is a key part of measuring the strength of your fighting force, yes? 

Jan Kallberg: Oh, yeah. Definitely. And also, as Stephen and I were sitting in his office when we invented the term cognitive force protection - because we realized - this is, like, more to visualize - that this is like having Goebbels in the barracks through the internet and TikTok and so forth, as Stephen mentioned. 

Dave Bittner: In the past, was there more control over this, over the flow of information that would get to the soldiers? Did the powers that be have a greater ability to control the possibility of them being influenced by things? 

Stephen Hamilton: I would say that there wasn't a need to in the past just because if you look at how media is consumed in the advent of, I mean, social media - I guess I would say, I think I got on Facebook the first time in, like, 2006 or so. So prior to those dates, the information you got was primarily either through TV or, you know, more reputable news sources. Well, I could go back in time and say that I was on a DOS computer and downloaded "The Anarchist Cookbook," you know, when I was in middle school. But... 

Dave Bittner: Right (laughter). 

Stephen Hamilton: ...I'm a one-off probably. If I told the rest of my classmates that I was doing that, I don't think that they would even understand what I was talking about. But now it's just the ease of access of the information and the ability to create content. That's where everything is kind of flipped on its head. So - and the fact that the social media companies have done their best to try to serve the content to keep you on their page, which inherently causes people to create content that - they can pull people down rabbit holes. 

Stephen Hamilton: So I don't think we ever had the protection for it. We just didn't need it. But I think now we have to recognize what's going on and the marketing that's happening and the way the social media companies are keeping these soldiers online. And they're not even - it's just their algorithms. They're not doing it intentionally to help out our adversary, but the adversaries are leveraging that technology to be able to get into their heads. And that's the part that I'm worried about. 

Jan Kallberg: Well, I'd like to add to that. I also see - I completely agree with Colonel Hamilton that we didn't have the need. And, of course, you can see the information from earlier. Just look on the pictures from - doesn't matter, Battle of the Bulge or Korea and so on. You see the platoon leader sits, a leader of character. And they read Stars and Stripes like the only source of information together. Meanwhile, they eat their rations. So there's no other impact. There's no other competing news sources. 

Jan Kallberg: And I think a problem here, as Colonel Hamilton mentioned - they go back, and they hook up to these resources. And there's a different way to approach the soldier today. Today, which other researchers at Army Cyber Institute have identified - that's Major Dawson - you can actually create the shell company as an adversary and buy the profiles of military personnel from social media companies. You can already get those data sets. You can preemptively seek out how to target military personnel. And this is completely a new operational environment. 

Dave Bittner: How do we fight this? I mean, is it a matter of restricting what the soldiers are able to see? Is it putting, you know, a counter narrative in front of them? Is it making sure that you're putting the message in front of them that you want them to see? How do you get the truth to these soldiers who need to see it? 

Stephen Hamilton: Yeah, that's a good question, and we've thought a bit about this to try to understand what's the right way to do it. Limiting the information is just not going to work. You can't tell someone not to go to TikTok. We could try to ban it on government phones, but if that's their personal device, it's too hard. And they're going to do what they are interested in doing. 

Stephen Hamilton: What I'm kind of proposing is that the Army is good at training. We just need to add some training that helps them understand how to differentiate news. And I first heard of this, I think it was a few years ago. I heard that there was a university course, I think in England, that was basically a media course of, like, how do you identify fake news? There's a brewing podcasts I listen to, and they used to play this game, which was basically find a fake. So they'll read, like, three news articles, and you have to guess, like, which one is the fake news. 

Stephen Hamilton: I think making something entertaining like that training for the soldiers where we create some different types of news or maybe we take some that's actual fake news out there, present it to them and have them try to decipher that and help them learn how to determine and how to verify and fact-check information that they're receiving. I think that that's the best way to do it - really give them the tools to be able to identify that. 

Stephen Hamilton: In addition, I think Jan and I've also talked about, you know, it's not unheard of for us to buy - I think at West Point there's certain subscriptions that we buy, like Wall Street Journal and as - we buy as an organization. And so purchasing some reputable news sources and providing that to the soldiers, that's another option as well. I personally think that the training is what's going to be important - changing the way that they consume information by educating them. That's, to me, like, the more long-term fix because then they can identify things that we're not even - we don't even know is going to exist in the future. 

Jan Kallberg: So what Stephen mentioned about reliable sources I think is a good way. The reason why people go to these clickbaits and so forth is because it's free. So let's say we provide 10 free journals. It could be TIME magazine, Atlantic, L.A. Times, Dallas Morning News, Chicago Tribune and so forth, like a spectrum of different outlets that has its own political camp. And yes, say, this - you can log in as a service member and here we got news. I can guarantee you that people are going to start using these sources because they get tired of clickbait and trying to just click through how actors look 500 years after or so forth - you know, all these clickbaits. 

Dave Bittner: Right. 

Jan Kallberg: So I think that is a really high return on investment. I also think that as Col. Hamilton mentioned before earlier in this discussion about cognitive force protection is that it's also up to officers and leaders and noncommissioned officers to be leader of character and show an interest in what the soldiers discuss and be open to discuss it and act as they - you know, in pastime or as a foundation for their understanding of how the world operates. Because a lot of the soldiers, a lot of the enlisted, they are really young. And another thing I think also is that we maybe have in the training - when you teach grad students, that you can train them pretty quick to evaluate sources. And I think there's something to learn there. 

Dave Bittner: Col. Hamilton, is there a leadership opportunity here? You know, I've seen in the past week or so there's been some folks saying that there needs to be a push to be perhaps more deliberate about what TV channel we have on in the mess hall to put in front of our soldiers. And one of the challenges there is that people have strong feelings about their politics, and they don't want to feel as though they're silenced. You know, could things like that help put more of a neutral, fact-based presentation of news in front of the fighting forces? 

Stephen Hamilton: Yeah, I think there's an opportunity there to do that. I know - I'm thinking of when I went to - I went to a gym back when I was at Norfolk for a course, and it was the first time I actually saw - like, they had all the different news sources. And oddly enough, they were actually arranged where the far left was MSNBC and the far right was Fox News, like literally the way they were arranged. I thought that was just ironic. 

Dave Bittner: From left to right? That's funny (laughter). 

Stephen Hamilton: Exactly. I'm sure somebody had to have thought through that because it's just - it was - yeah, it was too obvious to me. 

Dave Bittner: Right. 

Stephen Hamilton: But, you know, I looked at it, and I'm like, well, this is fair enough. At least you've put it out there, and you've even put it in the correct order. I think that there's an opportunity to do that. I will say that, you know, I think a TV - and it's like - I feel like it's almost an archaic thing. Like, everybody's on their own phone looking at stuff. I mean, I haven't been to a mess hall with young soldiers in a little while. It's probably been a year or two. But I don't remember seeing a TV, and I think people were probably all on their phones in there, so. 

Dave Bittner: I see. 

Stephen Hamilton: Understanding how the soldiers consume content is a big thing. And I think - you know, I have teenage boys, and they'll present me different things. And sometimes I ask them, I'm like - and I've tried to teach them like, you know, how did you arrive at this information? Where did you get it from? And it usually starts with something simple, like a funny meme. And it's interesting how clever that - our adversaries are of taking, like, something like Pepe the Frog or whatever it may be and then - and it's supposed to be something that was kind of innocuous. And then they're slowly adding different symbols and imagery to it and then words to it and then kind of leading you down a path. 

Stephen Hamilton: And so that's - that part is a little trickier. I don't think that just changing what we see on the TV - I think there definitely should be some thought put into - a deliberate thought put into what we put up there. But I think that the real extreme and the more leading things, sort of the - is going to be the interactive content that they have on their phones. 

Dave Bittner: Is the leadership receptive to this message? Are the folks who are higher up in your organizations - are - is this something that has their attention? 

Stephen Hamilton: Right now, it is kicking off a lot. And we have our information warfare team lead, Maj. Jess Dawson, who's been leading the effort. And she's been interacting with a lot of the general officers in the Army, mostly focused on extremism in the Army, which - we're having an extremism stand down day, I think, next week. So there is an acknowledgement that there's some extremism in our ranks. And that is - I would say it's - a lot of it's fueled by online content. And so that part has their attention more so because it's just more of a problem that that we're starting to see. So there is getting some recognition with that. I will say that like I said before at the beginning, you know, this term cognitive force protection is key because it seems like, sometimes, when we talk with senior leaders, they're like, well, I can't control this. And so it is difficult. It's not something that you can control the same way you control physical things. But it's some - it doesn't mean we can't acknowledge it and try to understand how to help educate the force to try to get at solving the problem. But yeah, I mean, you can immediately say as soon as you tell someone, oh, well, the soldiers shouldn't be looking at this - well, we can't - you know, there's freedom of speech. And there's - you know, we're not going to stop them from getting on all online things. I mean, that would be ideal for us, but it's not going to work at all. So we've got to figure out a solution to kind of a hard problem. But it doesn't mean we shouldn't just stand by and say, well, we can't do anything about it at all. So the key is to try to understand it and characterize it in such a way that we can take action on it. 

Jan Kallberg: As Col. Hamilton points out, we can't, like the Soviets, create the Department of Truth and put political commissars in the ranks. We still have a free society. We still have a Bill of Rights. But they're still in uniform, and they still have to be loyal to the U.S. Constitution and follow the rules and norms of a society. So I think what really stunned us when we look at this is how people can get carried away with TikToks and making videos and so on. Meanwhile, they're in uniform. Yes, the seductive power of social media - I don't know what that's the right word. But how people can get really carried away with these few seconds of minutes of fame and social media and just lose all contact and boundaries. 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: Well, I'm glad to see that there are people thinking about the mental state of the war fighters here in the United States. So the will to fight is very important. And if an adversary can impact it, they will because it only benefits them. 

Dave Bittner: Right. 

Joe Carrigan: It's generally a nonkinetic activity that's easily deniable, and it can impact the effectiveness of troops. 

Dave Bittner: Yeah. I mean, history, as you know - papering the enemy, right? 

Joe Carrigan: Right. 

Dave Bittner: Dropping flyers or broadcasting, you know, radio over the borders, you know... 

Joe Carrigan: Yep. 

Dave Bittner: ...To say, you're - you know, run away, run away - that sort of thing. 

Joe Carrigan: Right. Historically, we and other nations have been able to control the message through things like classic media, you know, newsreels, Stars and Stripes and the like, those kind of things. But now we have social media that is designed to keep you engaged. And the adversaries are using those algorithms to get inside of people's heads and weaken their will to fight. That's really dangerous. You know, like I've said before, this is not something that these social media companies are doing deliberately. This is an emergent tactic being used by adversarial nations based on the design, the inherent design of these social media platforms. They're essentially weaponizing these social media platforms. 

Dave Bittner: Sure. 

Joe Carrigan: Banning social media for all soldiers and Marines and airmen and sailors will not work. That's just not feasible. Col. Hamilton has a great point that you're not going to be able to do that because of the First Amendment right. These people still have rights. You can't just say, nope, no Facebook for you. I think it's really interesting that Col. Hamilton talks about how his kids start their news understanding from memes, right? They get a meme, and that begins the investigation... 

Dave Bittner: (Laughter) Yes. 

Joe Carrigan: ...Of what's going on. 

Dave Bittner: Yes. 

Joe Carrigan: No, I think memes are funny. I enjoy them, but they are not a good place to start getting your news. And I actually like the approach these guys are talking about - using an educational approach, making bona fide news sources available to people and using that as your first source of news. 

Dave Bittner: Yeah. 

Joe Carrigan: You shouldn't be using memes as your first source of news. You can use means for entertainment about the news, but you should already be informed about the news when you see the meme, right? 

Dave Bittner: (Laughter) Yeah. 

Joe Carrigan: That's the idea. You should be reading the newspaper, whatever newspaper it is you choose. And then when you see the meme, you go, oh, I get it. That's funny. And I understand that meme because I read that in The Wall Street Journal today. 

Dave Bittner: (Laughter) Right. Educating everybody when it comes to critical thinking. 

Joe Carrigan: Yes. 

Dave Bittner: I mean, just so key to to all of this. 

Joe Carrigan: Yes, absolutely. 

Dave Bittner: Yeah. All right. Well, again, our thanks to Jan Kallberg and Col. Stephen Hamilton from the Army Cyber Institute at West Point for joining us. We really do appreciate them taking the time to be on our show. 

Dave Bittner: That is our show. We want to thank all of you for listening. And of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.

Hacking Humans
Podcast Info
HOST(S):
Dave Bittner
Joe Carrigan
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Joe Carrigan, is a Senior Security Engineer with the Johns Hopkins University Information Security Institute. He has been a Software Engineer for over twenty years and has been working in the security field for more than ten years focusing on usable security and security awareness. He has experience in a broad range of fields including authentication systems, embedded systems, data migration, and network communication.
Schedule: Thursdays
Creator: CyberWire, Inc.
ADVERTISEMENT
KnowBe4
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.