The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Ukraine wants social media to up its game against Russian propaganda

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Comment

Good morning Cybersecurity 202 readers! I'm The Washington Post's tech policy reporter, and it's great to fill in on this newsletter and start the day with you. Send me tips, suggestions and predictions about privacy and disinformation at: cat.zakrzewski@washpost.com. There's no Cybersecurity 202 tomorrow, so have a great weekend and we'll see you back here Tuesday.

Below: The Cyber Safety Review Board releases a report on the log4j vulnerability, and a jury finds an ex-CIA employee guilty on charges surrounding WikiLeaks' publication of a trove of secret documents. First:

Ukraine to social media platforms: Do better

It’s been called the TikTok war. But six months into the bloodshed in Ukraine, the country’s tech officials say they have questions about how the platform is handling Russian misinformation and disinformation. 

  • “There [are] a lot of Russian propaganda narratives in TikTok,” a representative from the Ukraine Ministry of Digital Transformation told The Cybersecurity 202, speaking on the condition of anonymity to candidly discuss the state of information warfare. It’s “the weakest and least efficient platform in terms of countering Russian disinformation.”

Ukrainian officials report they’ve seen a new wave of Russian bots and propaganda around the world. They’ve also had problems with the constant blocking of Ukrainian accounts and narratives across social media. TikTok did not immediately respond to a request for comment. 

Propaganda

Ukrainian officials say Big Tech hasn’t kept up with the spread of Russian disinformation. 

Tech companies took aggressive steps to weed out misinformation and disinformation in the early days of the war, developing policies to limit Russian state media and supercharging their fact-checking teams. But as the Russians’ tactics are evolving, officials say the tech companies aren’t keeping pace. 

There have been questions about TikTok's preparedness to address Russian propaganda since the start of the war. Unlike some of its counterparts, it didn't have a policy in place to label state media operations when Russian tanks rolled into Ukraine. But it quickly stood one up.  In a tense email exchange in early March, Ukrainian officials, including Digital Transformation Minister Mykhailo Fedorov, compared Russian state media efforts to Hitler’s propaganda minister, Joseph Goebbels, my colleagues and I reported at the time.

In March the company said it was funneling more resources to addressing the war. “We continue to respond to the war in Ukraine with increased safety and security resources to detect emerging threats and remove harmful misinformation and other violations of our Community Guidelines,” TikTok spokeswoman Jamie Favazza said at the time.

Policing platforms

TikTok isn’t alone. 

My colleague Will Oremus reports this morning on new research from a European nonprofit that shows Ukrainian officials have flagged thousands of tweets, YouTube videos and other social media posts as Russian propaganda or anti-Ukrainian speech. But major social platforms have grown less responsive to those requests. (The study did not cover TikTok). 

  • “When it was the first months of full-scale Russian aggression, [the U.S. tech companies] were very proactive, very interested to help,” said Mykola Balaban, deputy head of Ukraine’s Center for Strategic Communications and Information Security, a government agency told Will. “Now they are avoiding to make a call with us.”

The report, prepared by the Europe-based Disinformation Situation Center, said that more than 70 percent of posts flagged as anti-Ukrainian hate speech on YouTube and Twitter remained available as of late June, while more than 90 percent of the accounts responsible for such posts remained active. Meanwhile the researchers found that Facebook had removed all 98 of the posts the Ukrainian government and its partners flagged as containing anti-Ukrainian hate speech, though many of the accounts responsible remained active.

Balaban told Will that some of the companies, including Meta-owned Facebook and Microsoft’s LinkedIn, have continued to talk to the agency. But Google-owned YouTube has stopped returning its calls. 

Limited resources

Tech giants’ guards are down as war headlines have faded in the United States. 

Major tech companies have long faced criticism for only responding to problems on their platform when they face public pressure or media scrutiny. And generally they have far more resources dedicated to content moderation in the United States than the rest of the world. 

  • “I don’t think it’s bad will on the part of the tech companies,” said Felix Kartte, senior adviser for the global nonprofit advocacy group Reset Tech, which focuses on accountability for social media platforms, and a co-author of the report told Will. “It’s really just lack of resources, lack of investment, lack of preparedness,” and a shortage of staff with Russian and Ukrainian language skills and local expertise.

Some Ukrainian offices are having more luck than others. The Ministry of Digital Transformation, which has led the country’s outreach to Western companies to build a digital blockade, told the Cybersecurity 202 that it still has an open line with Meta, YouTube and Twitter. But the Ministry representative said there is a recent rise in Russian activity on YouTube and Twitter – and a corresponding wave of Ukrainian volunteers and media outlets being blocked on Facebook.

What they're saying

Tech companies say they continue to respond to Russian propaganda. 

  • YouTube spokeswoman Ivy Choi told Will the company has “stayed in regular contact with the Ukrainian government” and has removed more than 70,000 videos and 9,000 channels for violating its policies since the war began.
  • Twitter spokeswoman Elizabeth Busby said the company works without outside organizations and looks for policy violations. Busby told Will the company’s efforts go beyond leaving posts up or removing them, and that the work includes elevating credible information about the war. Twitter spokeswoman Ann-Marie Lowry told The Cybersecurity 202 that the company is continuing to “proactively assess for inauthentic behavior, including identifying and disrupting attempts to amplify false and misleading information and to advance the speed and scale of our enforcement." 

The keys

Hackers used log4j vulnerability less than expected, new review finds

Starting in December, cyber defenders scrambled to fix a bug in the ubiquitous Log4j software library. In the first report of the Cyber Safety Review Board, which included cybersecurity experts from the public and private sectors, the body focused on log4j.

  • The board isn't aware of “any significant log4j-based attacks on critical infrastructure systems,” it wrote. It also found that generally, “exploitation of log4j occurred at lower levels than many experts predicted, given the severity of the vulnerability.” But that was a difficult conclusion to come to because of a lack of authoritative information about trends in hacks, it wrote.
  • The board also offered a stark warning about log4j, writing that is an “endemic vulnerability.” Its ubiquity means that vulnerable versions will remain in systems for the next decade, and we will see exploitation evolve to effectively take advantage of the weaknesses, it wrote.
  • It also called out “troubling elements” of Chinese government rules for disclosing information about software vulnerabilities to Beijing within two days of their discovery by researchers. (The log4j bug was disclosed by an engineer at Chinese firm Alibaba; the company was reportedly punished for reporting the vulnerability too late to Chinese regulators.) The possibility that the Chinese government could get “a window in which to exploit vulnerabilities before network defenders can patch them” is “a disturbing prospect,” the board wrote.

The board also offered more than a dozen recommendations to help protect against similar vulnerabilities in the future. Here are a few:

  • Ingredients lists: The U.S. government “should be a driver of change in the marketplace around requirements for software transparency,” the board said. It called for the “use of procurement requirements, federal standards and guidelines, and investments in automation and tooling, to create clear and achievable expectations for baseline” information about software bills of materials.
  • Regulatory backup: The board praised the Federal Trade Commission’s “leadership” in pointing firms to the Cybersecurity and Infrastructure Security Agency's guidance about the vulnerability in January. At the time, the FTC said that it “intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data” from log4j-related exposure. That seemed to drive fearful companies to fix the bug, the board said. CISA should work with regulators to drive cybersecurity fixes, the board said, and regulators “should identify opportunities to direct or encourage their regulated communities to implement CISA guidance, advisories, and best practices,” it said.
  • New reporting system: The U.S. government should explore creating a Cyber Safety Reporting System built on voluntary reporting like NASA’s Aviation Safety Reporting System, the board said. That could “contribute to a systemwide view of the cyber ecosystem and expand and
    centralize the existing external reporting and coordination of cyber safety issues,” it wrote in the report.
  • Boosting the open source community: The open source software community, which is largely staffed by volunteers, “is not adequately resourced to ensure that code is developed pursuant to industry recognized secure coding practices and audited by experts,” the board said, arguing that the public and private sectors need to “create centralized resourcing and security assistance structures that can support the open source community going forward.”

Jury convicts ex-CIA employee of leaking secret hacking files

Joshua Schulte was found guilty on all nine charges relating to WikiLeaks’ 2017 publication of a trove of files relating to the Central Intelligence Agency’s hacking arsenal, the Associated Press’s Larry Neumeister and Tom Hays report

Prosecutors argued that Schulte, a former CIA coder, sent WikiLeaks the files after his work complaints weren’t taken seriously; Schulte, who chose to represent himself in the trial, argued that the CIA blamed him because the intelligence community needed a scapegoat.

Jurors had deadlocked in a 2020 trial of Schulte, and a judge declared a mistrial. Schulte awaits trial on separate charges; he's accused of possessing and transporting child sexual abuse materials.

Global cyberspace

White House wants transparency on American investment in China (Ellen Nakashima)

Biden’s spyware conundrum on Mideast trip (Politico)

Cyber insecurity

New Lilith ransomware emerges with extortion site, lists first victim (Bleeping Computer)

Hill happenings

Sen. Warner maneuvers to secure intelligence community backing of tech antitrust bill, sources say (CyberScoop)

National security watch

TikTok use by military poses security risk, U.S. regulator testifies (Bloomberg)

Daybook

  • The House Judiciary Committee holds a hearing on government access to personal data on Tuesday at 10 a.m.

Secure log off

Thanks for reading. See you tomorrow.

Loading...