HAS INFORMATION GONE ROGUE?
18 OCT 2016
So I am back because the second trailer of Rogue One was released a few days ago and because of that other cyber security related thing some of you may have heard of: #WikiLeaks.
I have been extremely reluctant to make any comments on the #Podesta e-mails; there has been plenty of commentary and punditry on the issue and how it will affect the campaign of #HillaryClinton, therefore one more opinion would not necessarily add to the body of knowledge. But, I do have this open question: why is anybody surprised a breach of this magnitude could occur?
Moving on, this article has a very different intent, namely: broad issues related to Information Warfare (IW) and Information Operations (IO).
Information as the Weapon is Nothing New
While IW and IO are generally accepted to be 20th Century Western concepts, I respectfully suggest that IW and IO have been around for some time. The Ancient Greeks and Romans understood the vital need to protect information, particularly military intelligence, and thus would use cryptography and steganography to conceal and protect information; in other words early forms communication security (COMSEC) which are still in use today.
The Ancient Chinese also used IW and IO. Simply consider Sun Tzu’s theory that “all warfare is deception” and it becomes easy to understand why the manipulation of information is essential to successful warfare. The 36 Stratagems reinforce this line of thought. Please note: while “strategy” and “stratagem” are sometimes used interchangeably, they are not synonyms, and – culturally and linguistically outside of the English language – may have greater difference than they would in English. These are different and should be treated as such.
Perhaps the most prolific employers of IW and IO in recent memory are the Russians. Disinformation (again, different from misinformation) is a relatively “new” (historically speaking) concept, as there was no real English form of the word until the 1980s. But one could argue that disinformation has roots in the older “maskirova” (which was possibly influenced from the Far East cultures in Japan and China). The Russian Army even has a deception school in the early 1900s.
The United States Department of Defense is credited for the term “Perception Management” which is defined as: Actions to convey and/or deny selected information and indicators to foreign audiences to influence their emotions, motives, and objective reasoning as well as to intelligence systems and leaders at all to influence official estimates, ultimately resulting in foreign behaviors and official actions favorable to the originator’s objectives. In various ways, perception management combines truth projection, operations security, cover and deception, and psychological operations.
In other words, IW and IO may not be the recent phenomena some make them out to be. Information is at the heart of all these techniques and terms, whatever they are called, meaning that IW and IO have been around for some time, but perhaps in different shapes and forms.
Here comes the (recent) difference though…
Technology Changes the Nature of the Weapon
Technology and means of distribution for information are the dynamic variables with the Internet (a technology) acting as the fuel for much of information liberalization and dissemination. Whereas in the past a few documents would be passed to a news reporter and then printed in a newspaper or a periodical, now many documents are being passed through multiple mediums.
To use an analogy: throwing a hard projectile (such as a four pound rock) with your hand at somebody could hurt somebody quite badly; modify that projectile slightly (such as a four pound iron cannonball), make that projectile travel at over 200MPH, and put a punch of them in a row, and you will surely do some serious damage.
Therefore, we should not kid ourselves that all information sharing and dissemination is for purely academic and benign intent with a view to create some utopian society (I promise I still hear people say this and believe it to the core!!!). People and societies have interests. And they will do what they can to promote, support, and protect those interests (spoiler alert: not everybody has the same interests).
The United States, for example, was keenly aware of the power that information dissemination had, particularly during the Cold War, with Radio Free Europe (RFE) and Radio Liberty (RL) acting as prime examples. By using radio transmissions to “free [the] flow of information [news, information, and analysis into areas where it] is either banned by government authorities or not fully developed” the United States was conducting IW and IO against the communist ideology. The KGB did its best to jam these radio transmissions, but that did not stop the US and their intelligence agencies from trying. And one could argue that the role of RFE/RL was critical to the defeat of communism and the breakdown of the Soviet Union and the Eastern Bloc Soviet satellite states.
In a closed society, such as the Soviet Union, this type of “impure propaganda from the West” could easily be seen as an existential threat, which is why the state had no problem blocking out this information (or making its best efforts to block it out), a type of behavior that would not be accepted in free and open societies.
But just imagine for a moment if the Internet, namely, social media, was available in 1949 (the year RFE was incorporated). Would the US not try to use social media in this campaign against the Soviet Union? My instinct is that they would. And if the Soviets had the capability to do the same against the United States, they probably would also.
A major difference of the time is the logistical hurdle would have been jumped over. The United States had a strategic advantage in that they could place antennas (technology) in Free Europe and just crank out some wattage for the necessary signal strength (broadcasting a radio signal from Munich to Warsaw would have been easier than St. Petersburg to Chicago).
But the Internet, which operates in nanoseconds, with little-to-no signal degradation (assuming all data packets travel as they should), and can go easily all over the world, solves that technical problem. Blocking internet traffic in a closed society, no problem (it is called censorship). Blocking internet traffic in an open society, slightly more of a problem (this thing called “free speech” which is protected in most constitutions in Western democracies).
Information Liberalized can also be a Weapon Liberalized
Given the liberalization of information, I am not surprised one bit that an information campaign – particularly one that uses social media – would be in full force today. Nor am I surprised that more closed societies, such as Russia, would do whatever they can to block information coming into their territory by using executive action (such as the establishment of the Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications, also known as the Roskomnadzor). It is called “protecting your interests.”
I am not going to speculate on who is responsible for providing WikiLeaks with the #Podesta e-mails. In this current environment, it is irresponsible. I am also honest about the limitations of what I know. My theories would just add to the ocean of theories published and discussed, adding little benefit, because they are just that: theories.
But what should concern us all is this: as information becomes more democratized and liberalized, more actors, with greater capability, also enter theater. Intent is not real relevant here; the relevance is that these actors can do things that, not too long ago, were reserved for the state. Therefore, there is nothing stopping, for example, a consumer activist group from taking action against a corporation in much the same manner WikiLeaks is dumping e-mails against that could hurt the Clinton campaign.
Furthermore, there is a smaller and smaller group who have the highly specialized skills to fully understand the technical nature of the Internet. Therefore, as this group of people become much more valuable, they also become that much more dangerous.
And “dangerous” should not be immediately translated into something “bad” in this context. Wayne Gretzky is perhaps the most “dangerous” hockey player in history (insert: Gordie Howe, Bobby Orr, and Mario Lemieux debate now) because of his prolific and virtually unmatched skill. In the heyday of the mid-1980 Edmonton Oilers, were opposing teams afraid of Wayne Gretzky? I suggest they were. He was dangerous because of his skill, not because he was some sort of nefarious actor.
Therefore, whether it is blind arrogance (“nobody can hack into the network security I built for my company and I am going to convince my CEO of that”), or nefarious action (“let’s see if I can hack this database and dump everything online because I’m pissed off at them”), or a sense of patriotism (“I can write and insert code into their military network and watch what they’re doing”), there is growing danger within this group due to capability, where the first example is a false sense of security; the second example is intent to conduct harm; the third example is pre-emptive action with the intent of protecting interests. Intent, at this moment in the commentary, does not really matter (but eventually it does).
With courts of public opinion, internet trolls, and online shaming sadly becoming a type of norm (almost a “guilty until proven innocent type mentality”), I believe we are in a shift of how we input, validate, and react to information. Whether it is a good or bad shift, I do not know and only time will tell.
Therefore, it is worth asking: at what point does “social media” blend into “media” as we (in the West) have traditionally known it? Or at what point do super powerful “corporations” enter into some sort of “social contract” with the general public, in turn increasing their responsibility in the protection of the state?
I clearly do not have the answers to these questions, but these issues are at the core of the challenges we face, at least in open societies (repressive regimes will do what they wish and I believe we can take this as a constant if we look back through history). Once we answer these questions (and many more like them), I believe we will be in a better place to apply technical solutions we may be misappropriating right now.
Until then, we are going to have problems and some uneducated punditry will drive some of us completely mad, all the while spending a lot of good money after bad, leading into something much more worrisome…
Fueling the Vulnerability to IW, IO, PSYWAR, and PSYOPS
While I am not into the practice of publicly calling people out, comments such as those by CNN’s #ChrisCuomo made on live TV (“Remember, it is illegal to possess these stolen documents. It is different for the media. So everything you learn about this, you are learning from us.”) are the exact type of comments that drive people to alternative news sources; in turn, increasing the IW and IO vulnerability, particularly in societies where an open and free press is integral to a functioning society.
The issue is just too important to leave unaddressed, particularly in the larger context of IW and IO vulnerability. Therefore, I feel it necessary to discuss his comments at some length.
Chris Cuomo not only has a poor understanding of the law (small things, you know, like the difference between viewing and possessing, jurisdiction, enforcement, constitutional protections, and so on), but he acted in a grossly irresponsible way. Apart from demonstrating the exact type of elitism that further fuels the drive away from traditional media sources (more on this below), the media in Western societies is designed to act as some sort of validating source that can be trusted (feel free to debate around the coffee table whether it should be trusted as a validating source or not, as I am not getting into that discussion here).
Chris Cuomo may want to read up on some US Supreme Court rulings, such as First National Bank of Boston v. Bellotti, 435 U.S. 765 (1978), where the court rejects some sort of “greater” constitutional protection for members of the institutional press. As somebody who speaks on the subject matter, do I have to be a member of the institutional media business to talk on this matter? No. But in order to do so in a knowledgeable manner, I would, at least in theory – in order not to act irresponsibly – have to access and view the material. In Chris Cuomo’s view, my doing so would be illegal (here is a good post in the Washington Post as to why it would not be illegal).
Furthermore, Chris Cuomo is focusing on the wrong aspect. This issue is not the “who” but the “what” which is getting reported on (here is a good blog posting that does a much better job explaining than I could).
Because information has been liberalized, it was very easy to verify whether Chris Cuomo’s comments are valid or not; and these comments were immediately proven to be invalid, thus shattering what should have been a trusted source.
Doubling down, as he did today (18 OCT 2016) on his Twitter feed, @ChrisCuomo stated he “was wrong to combine classified emails and regular ones. and i never said you cant read them. we show wiki hacked emails daily”. All he did was continue his irresponsible behavior. He insinuates that WikiLeaks hacked John Podesta’s account (“we show wiki hacked e-mails daily”), something that has yet to be proven. If Chris Cuomo does have proof that WikiLeaks is responsible for the hacking, this is very newsworthy story, but I assume he does not. Therefore, in his position, he should be more responsible in his choice of words.
Onwards, his talk of combining classified material in this context is irrelevant.
New York Times Co. v. United States, 403 U.S. 713 (1971), which related to the publication of the Pentagon Papers (a Department of Defense US-Vietnam Relations study), makes clear that the publication of the stolen documents should be authorized in accordance with the First Amendment. A 2014 article here does an excellent job explaining why. Therefore, if the first legal test is passed, where I can access/view the documents (it is), then the second test, publication authorized in accordance with the First Amendment, also passes.
And I have not even begun to touch on this thing called jurisdiction, as the First Amendment does not extend to any US-extraterritorial jurisdiction. Is Chris Cuomo, therefore, actually saying that US citizens are only allowed to consume specific news, from specific sources, from specific jurisdictions? I understand – and even accept – that may not have been his intent when uttering those words, but it is a short path to get to the suggestion I proposed, making his comments very irresponsible given his position.
Furthermore, the illegality Chris Cuomo speaks of rests with the person committing theft, not the person viewing/in possession of the stolen items. As Chris Cuomo’s characterizes his comments, Neil Sheehan of the New York Times would be the one committing the illegal act by being in possession of the classified Pentagon Papers, even though Daniel Ellsberg is the one who committed the crime.
Therefore, in Chris Cuomo’s world, any journalist in possession of stolen information that was passed on to them would be charged. But Sheehan was never charged with a crime; it was Ellsberg who was indicted and was later freed in a mistrial due to more illegal behavior (breaking into offices to steal medical files, possible offers of plum positions to officials, all interesting stuff that you can research at your own leisure).
The press needs to be responsible. GEN (Ret.) Michael Hayden, former Director of the NSA and CIA, in his book, Playing to the Edge, has a great part where a reporter was brought into his office at the NSA to discuss the programs the agency was conducting. It is worth a read if any of you have the opportunity. Surely this reporter had an incredible story…but would it do more harm than good to report that story? Glen Greenwald has a worthwhile article here on the responsibility of journalists once they are in possession of information.
But the press also needs to be responsible in how they characterize things. In tense times, mischaracterizations add fuel to discontent and mistrust, increasing the vulnerability to IW and IO from adversaries. With “opinion” injecting itself more and more into “reporting”, journalistic integrity suffers. I will be honest with myself regarding this piece: there is a healthy dose of opinion, supported by some research. But I am disclosing that fact and to the best of my knowledge, I am not stating anything that is blatantly false; and if I am, once it is pointed out to me, I have to take responsibility for it. Similarly, I do not have the audience of CNN and I am not part of the institutional media, so my impact will probably not be so widespread. Chris Cuomo, who does have a large audience and is part of the institutional media, spoke with authority (as a function of his position), but was wrong; and then doubled down, making it more wrong.
But despite all the inaccuracies of legality in Chris Cuomo’s comments, that is not his greatest sin. The most damaging comment is: “It is different for the media. So everything you learn about this, you are learning from us.”
The Arrogance that Fuels the Vulnerability
This comment projects a level of arrogance that opens up the door to nefarious actors to use IW and IO, particularly against societies that rely on an open and free press. In fact, it is a gift to adversaries. To paraphrase, his comment was not one of, “hey, we’re trying to protect you, so don’t do this” but rather, “we are a different and more privileged class than you, so we know better and you’ll just have to listen to what we tell you.” Whether this was his intent or not is irrelevant. It is the perception (reference Perception Management from above) his comments have created.
The backlash (including my own) is overwhelming, because his comments come across as demeaning and elitist. In the worst of cases, these comments disenfranchise people, allowing adversaries to take advantage of real or perceived feelings and sentiment, such as: “why should I watch CNN when their anchors are blatantly wrong?” to “CNN is lying to me! I’m never watching them again!” I would argue that most decent people, regardless of background or culture, do not like being lied to; and to get colloquial, taking somebody to be a “chump” is enough to p!$$ somebody off.
Taking advantage of these feelings and sentiments are at the core of Psychological Warfare (PSYWAR) and Psychological Operations (PSYOPS) and in an era of liberalized information, traditional media sources need to be more responsible, otherwise they are only contributing to the problem. Yes, an open and free press is essential to the Western way of life; but an open and free press also has the responsibility to protect the Western way of life, not expose it to vulnerability.
So what happens when this type of irresponsibility occurs? People shift to alternative inputs for information, which may or may not have, or be, a validating source (even if the information is 100% authentic). For better or for worse, we have moved into a phase where “proof” is the only form of “trust” accepted (“I need to see a picture” or “I need to see the e-mail with all the headers”) in order to validate what we are seeing and hearing. Only time will tell whether this is healthy or not to society, but in the meantime, confidence in systems and institutions is being shattered.
And here is what could be the greatest danger, as people shift away from what should be trusted resources: these alternative sources are definitely vulnerable to things like echo chambers, groupthink, misinformation, disinformation, and conspiracy, particularly if messages are well crafted with kernels of truth. Therefore, the irresponsible comments, like those of Chris Cuomo, push people to different information sources, which may or may not be authentic. And in my own effort to be responsible (after all, I am publicly posting this), this is as far as I am willing to go on this conversation.
Information as a Weapon is Part of Our History
In closing, my point here is to say that information being weaponized is not a new phenomenon; this practice has been around for quite some time. Some societies in fact have relied on information being weaponized. What is different today is the delivery vehicle, not the munitions. And another difference is that more people have access to the munitions stockade (legal access or not) and almost anybody can design a delivery vehicle these days (Twitter, for example).
I understand I did not really touch about the “cyber security” aspect in this post in the way most think about it (firewalls, TCP/IP protocol, cloud security, threat intelligence, CND/CNE/CNA, etc., etc., etc.) but this post very much has to do with cyber security. Whether something is written on a pad with pen, or whether it a series of notes heard, or whether it is a set of 0s and 1s that live in a digital space, they are all information; and secure information is vital to virtually everything we do.
Hope everybody is having a cheery day! 🙂