The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

A phony, U.S.-friendly social media campaign prompts questions

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! After this morning, we'll be away for a bit to close the month. See you next on Sept. 6. 

Below: The Twitter whistleblower will testify before a Senate committee next week, and a DHS advisory council shares its recommendations for countering disinformation. First:

Fake accounts pushed a pro-Western narrative, researchers find

Facebook and Twitter took down a network of fake accounts that promoted pro-Western messages in the Middle East and Asia, according to a splashy joint report Wednesday from Stanford University and the network analysis firm Graphika.

A spokesperson for Meta, Facebook’s parent company, said it was the first time it “has removed a foreign-focused influence network promoting the United States’ position,” as my colleague Naomi Nix reported (with an assist from Ellen Nakashima).

The report doesn’t claim the U.S. government sponsored the campaign, despite drawing potential links. Nor do Facebook or Twitter. Nonetheless, the findings raise fascinating questions about the limits of the U.S. government to conduct cyber-related activities overseas, and the willingness of U.S. organizations to call it out.

Examining the report

The network of fake accounts touted messages that supported the United States while opposing those of others, like China, Russia and Iran, according to the report. (Major social media companies are usually taking down fake news campaigns from, well … China, Russia and Iran.)

Wednesday’s study said the batch of pro-U.S. accounts even did things that everyone does on social media, like post cat pictures, in a bid to appear like authentic users.

The report made an impression on the internet. Here’s Rolling Stone reporter Adam Rawnsley:

But it’s important not to overstate the reach of the removed network of fake accounts. Here’s journalist Kim Zetter:

There’s a fuzzy line connecting the campaign to a prior, more overt U.S. campaign by U.S. Central Command, which is part of the Defense Department. The Stanford Internet Observatory’s Renee DiResta explained:

What the U.S. can do

To emphasize, no one has said the U.S. government was behind the network. But it’s a reminder of past incidents raising the issue of whether feds can hype the U.S. message using fake accounts.

For instance, the issue drew attention all the way back in 2011:

  • “The US military is developing software that will let it secretly manipulate social media sites by using fake online personas to influence internet conversations and spread pro-American propaganda,” the Guardian reported at the time about a Central Command contract.

The Defense Department recently spelled out guidelines for using official social media accounts.

As for the story Wednesday about the fake accounts:

  • “Brig. Gen. Patrick S. Ryder, Pentagon press secretary, said in a statement the Defense Department would ‘look into and assess any information that Facebook provides.’”
The researcher side of things

Another interesting component of the report is who published it: a U.S. company and a U.S. university.

Usually, reports on U.S.-based internet or cyberspace activities come from overseas. Most recently, a Chinese cybersecurity firm alleged in February that a decade-old exploit was the work of a hacking group associated with the U.S. National Security Agency.

Russia-headquartered cybersecurity firm Kaspersky reportedly exposed a U.S.-led counterterrorism cyberespionage operation in 2018, although the company didn’t attribute the operation to the United States. It only said an “advanced persistent threat” group was behind it — a term often used in the cybersecurity field to describe hackers associated with a nation-state. Kaspersky also outed the Equation Group, suspected of NSA ties. 

Some U.S. cybersecurity companies have expressed reservations about the idea of burning U.S. cyber operations. Many of them collaborate with the U.S. government in examining threats.

A 2020 study pointed to further instances of intermingling where government agencies share information on hackers with cyber companies:

  • “In these cases, the government shares classified information with particular tech companies with the intent that the companies use the information to make attributions that the government wants them to make, but does not want to make itself (at least at that time). The companies effectively ‘launder’ the information for the government, presumably because the public sees the companies as more neutral and objective than the Executive.”

The U.S. angle doesn’t seem to have presented any issues with Wednesday’s report, or prevented a response.

“There was absolutely no hesitation in publishing the report,” John Perrino, a policy analyst for the Stanford Internet Observatory, told me. “The Stanford Internet Observatory has not reached out to U.S. government officials about the Unheard Voice report to inquire about responsibility.”

Said Twitter spokesperson Elizabeth Busby: “We continue to disclose information operations identified on Twitter, given their severe impact on public discourse around the world — regardless of their presumptive country of origin.”

The keys

Twitter whistleblower will testify before Senate committee next month

Former Twitter security chief Peiter “Mudge” Zatko will appear at a Sept. 13 Senate Judiciary Committee hearing pursuant to a subpoena, Cat Zakrzewski reports. The hearing was announced just a day after The Post reported that Zatko had filed a whistleblower complaint alleging that Twitter has had “extreme, egregious deficiencies” in defending against hackers.

  • Beyond the hearing, Senate Judiciary Committee Chairman Richard J. Durbin (D-Ill.) and the committee’s top Republican, Sen. Charles E. Grassley (R-Iowa), said they’d “take further steps as needed to get to the bottom of these alarming allegations.”

Regulators in Europe have also taken notice of Zatko’s complaint. 

  • Ireland’s Data Protection Commission, the lead E.U. supervisor of Twitter’s compliance with European data protection rules, “became aware of the issues when we read the media stories [yesterday] and have engaged with Twitter on the matter,” deputy commissioner Graham Doyle told TechCrunch’s Natasha Lomas.
  • France’s data-privacy agency, CNIL, says it’s “studying” the complaint that Zatko sent to U.S. regulators, Politico Europe’s Peter O’Brien reports. “If the accusations are correct, the CNIL could take action leading to legal proceedings or a sanction, if it's clear there were breaches,” the regulator added. 
  • Twitter general counsel Sean Edgett told employees that the company reached out to “various agencies” around the world before The Post and CNN published stories on Tuesday about Zatko’s whistleblower complaint, Reuters reported. Twitter officials including chief executive Parag Agrawal and Edgett continued to push back on Zatko’s allegations, with Agrawal saying that they were “foundationally, technically and historically inaccurate,” the outlet reported.

Zatko’s complaint also made an appearance at a court hearing in Delaware. Lawyers representing Tesla chief executive Elon Musk used the high-ranking former Twitter executive’s allegations to argue for more data to support their case at a discovery hearing, Faiz Siddiqui and Elizabeth Dwoskin report

DHS advisory council advances report on disinformation work

The Homeland Security Advisory Committee, a group of outside advisers appointed by DHS leaders, unanimously approved a subcommittee report on the department’s disinformation work, sending it to Homeland Security Secretary Alejandro Mayorkas’s desk. The report calls for DHS to standardize its work to counter misinformation and disinformation, effectively communicate about its work to combat inaccurate information and “bolster the role” of its intelligence and analysis wing, which gets reports about disinformation from the U.S. intelligence community and other organizations, according to the report.

The report comes three months after DHS paused its Disinformation Governance Board amid Republican criticism. The Homeland Security Advisory Council last month urged Mayorkas to scrap the board, saying it wasn’t necessary. Mayorkas on Wednesday officially scrapped the board and rescinded its charter. He said in a statement that DHS welcomed the board's recommendations.

“With the HSAC recommendations as a guide, the Department will continue to address threat streams that undermine the security of our country consistent with the law, while upholding the privacy, civil rights, and civil liberties of the American people and promoting transparency in our work,” Mayorkas said in the statement.

Cyber insecurity

Ethereum ‘bug bounties’ jump to $1 million before software upgrade (Bloomberg)

Industry report

YouTube is testing its theory on curbing misinformation in Europe (Protocol)

Global cyberspace

Over 80,000 unpatched Hikvision cameras exposed to takeover (SecurityWeek)

Securing the ballot

Paxton legal opinion giving public immediate access to ballots jeopardizes election security and invites lawsuits, experts say (Votebeat)

On the move

  • Tom Kellermann has joined Contrast Security as its senior vice president of cyber strategy. Kellermann previously was head of cybersecurity strategy at VMWare and chief cybersecurity officer at Carbon Black Inc.

Secure log off

Thanks for reading.