The Urgent Need for a National Counter-Influence Strategy
19 May 2019
In April 2019, the Director of the FBI warned of continued Russian attempts to influence America's election results, calling it a "significant counter-intelligence threat." The Russian activities, however, are not "intelligence" activities needing to be countered, even though they are being conducted by Russia's intelligence agencies. The tools and tactics of counter-intelligence professionals will not counter this threat. The Russian activities are a Covert Action campaign and aim to weaken America’s political system in Russia’s favor. The tools and tactics used by the Russians to influence the 2016 election are widely available to other threat actors, and they are increasing in their effectiveness. The FBI, and the U.S. government generally, is repeating the mistakes that it made in the late 1990s with counter-terrorism, and over the last 15 years with counter-cyber; they are navigating via the rear-view mirror. Just as the 9/11 attacks forced the U.S. government to update its legal authorities, organizational structure and roles, and operational approach to countering the terrorist threat, it must again modernize its thinking and implement a comprehensive strategy to counter "influence" operations.
Influence as a goal of Covert Action has been around for decades, or longer, but it is rapidly changing in form and effect. Influence operations are now a widely impactful and cost-effective form of international competition, due to pervasive social media usage, rapidly advancing communications technologies, large-scale individualized data sets, and proven means of psychologically manipulating human behavior. Dr. Robert Cialdini called these means the "weapons of influence" in his 1984 psychology book, Influence. Democratic and open societies are especially vulnerable to modern influence campaigns.
The first wave of modern weaponized influence operations was seen in Al Qaeda’s Internet recruitment efforts, pre- and post-9/11, as otherwise unaffiliated persons were radicalized into joining its ranks. Then came the formation of the loose hacker collective called Anonymous, which rapidly organized ad hoc cyber campaigns perpetrated by a worldwide collection of strangers. In Anonymous, often young and socially distant persons were influenced through conspiratorial anti-government ideas into contributing to collective criminal activities. Internet search giants and social media companies expanded the reach and effectiveness of this influence toolset to better monetize their marketing services. Political parties saw the potential to influence voters, so they joined the game, gathering intimate details on individual citizens so they could focus their outreach on the specific voters that promised the highest impact to their campaigns. Even the news media, often touted as defending the public against ignorance and misinformation, is incentivized by its reliance on advertising as a primary source of income to use the weapons of influence. Then, for the last several years, nation states, such as Russia, have been using these tools to influence the power structures of their adversaries. Russia’s efforts to tilt the 2016 U.S. Presidential election by influencing targeted groups of American voters is a well-known example. The Russians, and likely others, are using to their advantage a system that is promoted by U.S. corporations, politicians, and media institutions. Nicely asking the Russians to halt their efforts will not work. A failure by the U.S. government to marshal an effective response to this increasing threat seems likely to lead to lessons being learned the hard way, as they were on 9/11.
A primary source of confusion stems from a misunderstanding of the term "intelligence." For example, the CIA, an “intelligence” agency, has three distinct, yet inter-related, missions: intelligence production, counter-intelligence, and Covert Action. Often, these three distinct missions are incorrectly lumped under the single label of "intelligence" because they are all performed by so-called intelligence agencies. My criticism here is not semantics. The goals and techniques of these missions differ in important ways. A better understanding of these terms reveals an important gap in America's approach to countering a rapidly growing threat.
Contrary to the common vernacular, intelligence is not "collected," it is produced. Intelligence organizations collect information and analyze it to produce intelligence, which is then disseminated to decision-makers. Intelligence, in essence, is a formal answer to a question posed by decision-makers. This question is called a "requirement." The sole mission of intelligence is to inform decision-making.
Our adversaries also produce intelligence to inform their decision-makers. The better their intelligence production, the better their decisions will be, which, in turn yields more effective results. The mission of counter-intelligence is to promote our security by frustrating the intelligence-driven decision-making processes of our adversaries.
Sometimes, policy-makers decide that it is necessary to affect an aspect of their adversary's power base without resorting to open conflict. Such policy-makers would authorize a Covert Action campaign. The mission of Covert Action is to implement foreign policy through the discreet use of power. There are many ways in which Covert Action can be implemented, such as sabotage, propaganda, and the discreet arming of resistance fighters. Accordingly, defense against an adversary’s Covert Action efforts must also be multi-faceted, taking into account the specific methods used by the adversary.
Russian efforts to influence the American election process are not intelligence activities aiming to inform their decision-makers; they are a Covert Action campaign aiming to alter America's power structure in Russia's favor. Counter-intelligence efforts largely focus on affecting the adversary's production of intelligence, whereas, an effort to counter Covert Action must simultaneously frustrate the perpetrators (in this case, Russia) and aid their potential targets.
Prior to the terrorist attacks on 9/11, acts of terrorism were largely treated as criminal acts. They were investigated after they occurred, and responsible parties were arrested for criminal prosecution. The attacks on 9/11 changed this perspective, as nearly 3000 persons died in a single morning. Technology allowed the terrorists to elevate their threat from lesser criminal acts to acts of war. At the time, America's security organizations lacked the authorities needed to proactively investigate, let alone disrupt, these threats. Thus, Congress passed laws that gave designated terrorist organizations the stature of "foreign powers," which allowed the FBI and other organizations to conduct proactive surveillance. The National Security Letter allowed U.S. security agencies to rapidly engage U.S. communications providers, aiming to frustrate potential terrorists’ efforts as they used U.S. technologies, such as email, to their advantage. Further, the U.S. conducted disruption efforts abroad, performing paramilitary strikes on terrorist safe havens, while also disrupting terrorist recruitment networks on the Internet. Simultaneously, the U.S. began implementing defensive measures aiming to harden the potential targets of terrorist attacks, such as improved airport security, a terrorist no-fly list, physical barriers around landmarks and critical infrastructure, and improved information sharing with state and local defenders. These multi-faceted efforts have been effective, and they can serve as a model for a successful defense against influence operations, as well.
In 2010, I sat in the back of a security conference in Geneva. A professor from an Ivy League university informed the audience that the threat of cyber war was being overblown. It was largely hype, he said, and noted, “No one has ever been killed in a cyber attack.” He said that if we all buy anti-virus software and keep our computer operating systems up-to-date, then we would be safe. I worked for the National Security Agency's Tailored Access Operations at the time, and I kept a close eye on security news. What I knew at that moment, and the professor had failed to notice, was that the early analyses of a new type of cyber weapon had recently appeared on Internet security forums. According to these cyber security analysts, a malicious piece of software called Stuxnet was exploiting several previously-unknown vulnerabilities in the Microsoft Windows operating system to propagate into Iran's most sensitive networks, those responsible for its secret nuclear enrichment program. Stuxnet was manipulating the centrifuges used by the Iranians to enrich Uranium, causing them to break. This cyber tool is estimated by some researchers to have setback Iran's nuclear weapons program by many years, and anti-virus and operating system updates could not have stopped it. With Stuxnet, a cyber role in Covert Action was proven effective. Yet, even the brightest minds in the cyber security field were still underestimating, if not outright dismissing, the potential impacts of cyber warfare. They were navigating via the rear-view mirror, similar to the prelude to 9/11. The outdated thinking and fractured authorities for U.S. counter-cyber programs contributed to intelligence windfalls by U.S. adversaries, such as China during the mega-breach at the U.S. Office of Personnel Management (OPM) in 2014, wherein millions of personnel files were stolen. Similar legacy thinking is blinding some security experts to the growing threat of modern influence operations.
Beginning no later than 2014, the Russians further weaponized the cyber realm with a new type of influence operation. Influence operations are not entirely new. Nations were blasting propaganda over their adversaries’ borders using radio waves during World War II. The Internet, and the entrenchment of a huge swath of human society into social media applications, gives potential attackers access to an unprecedented pool of potential victims, and access to extremely valuable information about these victims' behaviors and psychological inclinations.
To better understand the value of social media to modern attackers, consider the common cyber attack tactic called phishing. In a phishing campaign, an attacker sends malicious emails to many different targets, which is akin to casting a fishing line into a lake. The attackers craft their emails in a manipulative way, aiming to entice the recipients into visiting a malicious website or giving away their passwords. The content of their email is the bait. The attackers only need one person to take the bait, and one person always does. From this one mistake, the attacker is able to gain a foothold in a network and expand to more lucrative targets. Traditionally, phishing attacks are successful less than five-percent of the time, meaning that less than one in twenty persons takes the bait. But, when an attacker is able to reach hundreds or thousands of potential victims, they are able to successfully exploit a sizable group of persons. The Russian influence operations used a similar statistical premise. Nearly all persons were not influenced by the Russian propaganda. But, given that the Russians, using fake identities, were reaching an audience of several million persons, they were able to successfully influence hundreds, or even thousands, of persons. Phishing is the most common cyber-attack tactic because it is effective and easy to conduct.
To improve the odds of a successful attack, cyber attackers will shift their strategy from phishing to spearphishing, which means that they use information gathered about their specific targets to craft personalized, more enticing messages. For example, an attacker might impersonate an acquaintance of their target. Or, an attacker might use the personalized advertising tools available on social media to send enticing content to groups of like-minded persons, such as those who are pro-gun, pro-immigration, or pro-environment. The Russians did precisely this, posing as gun-rights activists, and taking on other identities to reach and influence sympathetic groups of Americans. In all cases, the attackers will use the psychological "weapons of influence" to affect their audience’s decisions. Better information improves the attacker's odds of success. Social media provides exactly this sort of personal information, as evidenced by the willingness of marketers and political parties to pay billions of dollars annually to leverage it to create "personalized ads," which is simply legalized spearphishing.
A former senior staffer at Google noted in 2019 that information technology companies are not merely collecting information about their users, e.g., to create profiles, but are instead creating computer simulations of every individual’s personality, which he called “avatars.” These avatars have a cause-effect logic to them, enabling companies to simulate every person’s likely response to stimuli, such as an advertisement. Cambridge Analytica was revealed to have discreetly given psychological tests to Facebook users, which Cambridge Analytica then allegedly used to influence the results of the 2016 U.S. Presidential election. Every user click, “like,” social connection, etc. is part of a very large dataset that is analyzed by modern psychological and “machine learning” techniques to identify specific levers of influence for each individual, and to refine each person’s avatar. The companies that legally create our avatars are in the business of selling them, and they have many buyers, both domestic and foreign. My point here is not about "privacy" in its own right, it's about power. The information that is collected by social media and other sources is weaponized legally by advertisers and can also be weaponized by foreign governments and non-state actors seeking to influence our elections, our debates, and other aspects of our interdependent community. This information is a non-trivial source of power.
At what point do these efforts actually sway an election in Russia's favor? Whether the 2016 U.S. presidential election was such a case is probably unknowable, and my purpose here is not historical. Other U.S. adversaries have likely seen the effects of the Russian efforts and decided to jump into the game. Other forms of influence (Covert Action) are undoubtedly being planned and implemented. Further, as rapidly improving technology increases our connectivity and the speed with which we can be reached, the ability of our adversaries to influence our citizens and leaders en masse will also increase. The instruments of counter-intelligence are inadequate to handle this threat, just as they were inadequate to thwart the terrorist and cyber threats.
CONTROL AND INFLUENCE
In the security field, it is common for persons to speak of "security controls." A lock on a door, for example, is a security control, in that one requires a capability to bypass it. An attacker must steal a key, pick the lock (exploiting a vulnerability in the locking mechanism), or bust down the door (exploiting a vulnerability in the door's overall sturdiness). A security camera, though, is not a control. It does not prevent anyone from doing anything. It merely records the crime being committed. Yet, a camera, if conspicuously placed, might deter a potential criminal from committing a crime if the person decides that the camera will lead to their arrest. In this sense, the camera can "influence" a potential criminal into deciding to not commit the crime. In the end, though, it is the person who merely makes a decision. With this construct in mind, let us consider a potential Russian objective. If Russian leadership aims to increase the odds of a pro-Russian candidate being elected as U.S. President, then it has, notionally, two paths that it can follow. First, it could "hack" into the computer systems used by U.S. election officials and change individual votes in its favor. This approach is a form of "control," and poses a high risk of retribution if discovered. Second, Russia could use social media and human psychology to influence persons to decide to vote in a favorable manner. Each individual voter still decides, but they are being influenced toward a particular decision. The latter seems to be the Russian approach to the 2016 election, and, if the FBI Director is correct, the 2020 election, as well. Attackers, both foreign and domestic, are now able to use large amounts of highly personalized behavioral cause-effect information (your secret avatar) to implement influence campaigns that have a non-trivial probability of success.
This influence tactic can be used beyond the manipulation of election results. In an extreme case, it could be used to influence persons into a state of anger, leading them into protests, and possibly violent riots. Could American adversaries be seeking to incite a Civil War, as far-fetched as that might feel? Either of these results is highly harmful to the U.S., and I urge our policymakers and security agencies to aggressively frustrate any attempts to cause them, before an Influence-9/11 teaches us this lesson the hard way. Simply investigating these acts after-the-fact, as was done with the 2016 election, and pre-9/11, is insufficient. Several proactive measures can be taken toward this goal.
AN APPROACH TO COUNTER-INFLUENCE
Influence operations cannot be countered decisively, as the elements of their success are sewn into the fabric of a democratic society: freedom of commerce, information, and choice. An attacker need only decide to use them maliciously. Therefore, it is not through security controls, such as barbed wire fences, that Counter-Influence efforts will succeed. To counter influence, one must influence the potential attackers. I recommend a response that seeks to simultaneously accomplish three distinct, yet interrelated, objectives. They are:
1. Increase the risk to the attackers.
The U.S. government must demonstrate an ability and willingness to harm the perpetrators and facilitators of influence operations. This concept is not new to the security community, as it underpins deterrence. Use the techniques of coercion to steer potential adversaries away from a decision to conduct these attacks, and toward decisions that are deemed favorable.
2. Increase the cost to the attackers by denying and degrading the attackers’ infrastructure and tools.
As they did after 9/11, the U.S. security agencies must collaborate with technology companies to discover and disrupt the malicious use of information technology. These authorities need not tread on constitutional privacy protections, as the content of individual user accounts is not helpful to this cause. Rather, the government should monitor how social media information is used, who is using it, and how their efforts are tailored to reach select audiences. Technology companies are currently claiming that they will perform these security functions, but our reliance on them is irrational and akin to letting the fox guard the hen house. The technology companies are financially incentivized to maximize the use of our information. Therefore, the government must be an independent and active partner.
3. Decrease the possible gain to the attackers by hardening the potential victims and altering the attack landscape.
U.S. security agencies must educate the potential victims of influence campaigns about their existence and tactics. Increasingly, individual human decision-making is fused via information technology with the persons behind the data feeds. Build a public resistance through education, both general and specific. This provocative point warrants elaboration, which follows.
INFORM OUR DECISION-MAKERS
The mission of intelligence is to inform decision-making, and the U.S. Intelligence Community directs its efforts toward a narrow set of decision-makers: the President, Congress, and, by extension, their senior civilian and military advisors. Yet, there is another pool of decision-makers that are essential to a democracy: each individual citizen. Collectively, they decide who will hold elected office. Individually, they decide how they will commercially engage with foreign governments that may secretly be stealing from them. Informing the citizenry is often left to the media. Yet, as was demonstrated by the Russians around the 2016 election, the media can be an unwitting participant in a Covert Action campaign. The media is ill-equipped and ill-incentivized to bear this important responsibility alone.
In a democracy, every citizen is an active decision-maker with some sway over our national security. Our intelligence community should not merely aim to inform our political leaders, it should also aim to educate each citizen. I do not expect this idea to be received favorably. In 2015, while an employee at NSA, I sent an email to the advisory panel of the Director of the NSA, entitled "Education, not Transparency." Transparency is a checkbox, whereas education is empowering. I argued a number of the points in this article. It seemed obvious to me then, and more obvious to me now, that the public, and even persons within the U.S. security community, are under-informed, and often misinformed, about this threat landscape. Only they can decide whether they will be influenced, yet they have few means to harden themselves.
Case in point, one influence operation that is likely already underway looms large in America’s future.In 2014, a Chinese intelligence service stole from the U.S. Office of Personnel Management (OPM) the security background verification information for more than 20 million U.S. government persons seeking a security clearance.The material that they stole included SF-86 forms, which are like Facebook accounts on steroids.They contain highly sensitive personal information and possibly notes added by investigators: debt issues, substance abuse, infidelity, etc.The attackers know the full contents of each file, but the persons described in them do not.This information makes the persons with America’s most sensitive accesses more vulnerable to coercion and other forms of influence.Rear-view mirror counter-intelligence strategies would aim to detect any Chinese attempts to recruit some of these U.S. employees as spies.In contrast, forward-looking counter-influence strategies assume that the Chinese will go beyond recruiting a few persons and will use the “weapons of influence” to broadly disenfranchise America's national security workforce.To my knowledge, the U.S. government has not yet begun hardening even these highly lucrative victims against the influence operations to come.Unless the U.S. adopts a comprehensive Counter-Influence strategy soon, the likelihood of an adversary’s success will grow perilously high.