The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Facebook owner says pro-U.S. online campaign had military ties

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! After today we’ll be gone until Monday, so have a great holiday weekend.

Below: Companies call on the FCC to add advanced firewalls to a discount program for schools and libraries, and Brazil’s president says an apparent voting machine bug means votes should be thrown out (even though experts say it doesn’t affect election results). First:

Meta says it found U.S. military links to fake online accounts

Facebook and Instagram parent Meta has confirmed Washington Post reporting about the origins of a network of fake accounts on Facebook, saying it “found links to individuals associated with the U.S. military.”

The company’s report comes after a September story by my colleague Ellen Nakashima, and provides a few additional details about the campaign that pushed messages favorable to the United States.

The Pentagon ordered an audit of clandestine information warfare in response to the public exposure of the network by researchers from Graphika and Stanford University’s Internet Observatory, with whom Meta shared details of its investigation. U.S. Central Command is among the entities whose activities were under Pentagon review.

“The people behind this activity posted primarily in Arabic, Farsi and Russian about news and current events, including terrorism concerns and praise of the U.S. military, as well as content about the covid-19 pandemic — some of which we removed for violating our misinformation policy,” Meta’s report says. “This operation also shared posts criticizing Iran, China and Russia, including Russia's invasion of Ukraine, China's treatment of the Uyghur people, Iran's influence in the Middle East and the support of the Taliban regime in Afghanistan by Russia and China.”

  • Some of the accounts also posted about sports and culture in particular countries, Meta said.

Meta said it discovered the campaign’s links to the U.S. military despite attempts by the individuals responsible to hide their coordination and identities. Facebook doesn’t allow users to create accounts under names that aren’t their own.

The campaign got very little engagement, and it wasn’t especially large. In all, Meta took down 39 Facebook accounts, 16 pages, two groups and 26 accounts on Instagram, numbers that Graphika and Stanford included in their August report.

Here are some of the new details Meta revealed: 

  • Around 22,000 accounts followed one or more of these pages.
  • Approximately 400 accounts joined at least one of the groups set up by the fake accounts.
  • Around14,000 accounts followed one or more of their Instagram accounts.
  • The campaign spent around $2,500 on Facebook ads paid for in U.S. dollars and British pounds.

Meta said the campaign included four separate and short-lived efforts in the fall of 2021 and 2022. The Graphika/Stanford report said it was a series of covert campaigns over five years, but that it wasn’t limited to just Facebook and Instagram, but also Twitter and five other social media platforms.

Facebook had previously raised concerns with the Pentagon about accounts it had to remove in 2020, Ellen reported: 

  • “That summer, David Agranovich, Facebook’s director for global threat disruption, spoke to Christopher C. Miller, then assistant director for Special Operations/Low Intensity Conflict, which oversees influence operations policy, warning him that if Facebook could sniff them out, so could U.S. adversaries, several people familiar with the conversation said.”
  • “His point was ‘Guys, you got caught. That’s a problem,’” said one person who spoke to Ellen on the condition of anonymity to discuss sensitive military operations.

Meta’s decision to go public about the U.S. campaign isn’t controversial in the cybersecurity world.

The Cybersecurity 202 Network, a panel of cyber experts, agreed that U.S. companies and organizations should publicly call out hacking and disinformation operations even if the United States is behind them. Around three-quarters of respondents said in a September poll that U.S. organizations should reveal such operations.

It’s to the benefit of the companies to do so, noted Andy Ellis, operating partner at YL Ventures.

“There are two good reasons for companies not to conceal operations they find that happen to be U.S. operations,” he wrote. “First, if companies and organizations are able to identify U.S. agencies, then the feedback to the agency can be viewed positively, helping them improve. Second, and probably more importantly, if a U.S. firm is selling in the global marketplace, creating a clear separation between the company and the U.S. government is necessary to build trust in worldwide customers.”

The Pentagon referred a request for comment to U.S. Cyber Command, which has no reported role in the campaign Meta wrote about in its report. Asked for comment, Cyber Command referred us back to the Office of the Secretary of Defense.

Congress in 2019 authorized the Defense Department to conduct operations in the “information environment” to counter foreign disinformation and protect the United States. But the White House and other federal agencies raised concern about the Pentagon’s activities. 

The Pentagon review could serve as a model for other democratic countries, Emma Briant, a fellow at the Central European University’s Center for Media, Data and Society, wrote in a post for Tech Policy Press.

“With the current review underway, the Pentagon has an opportunity to set an example for how democratic militaries around the world should develop ethical, transparent standards for tomorrow’s information wars,” she wrote. “Any review should especially make clear acceptable limits on creating and encouraging social movements that can risk civilian lives, especially where incentives and coercion are applied, or where it is known that local people will risk persecution for protests and may be limited in ability to achieve their goals.”

The keys

FCC should add advanced firewalls to list of discounted school equipment, firms say

Five companies told the Federal Communications Commission in a letter that including next-generation firewalls in the FCC’s E-Rate discount program could help schools and libraries that are trying to fend off cyberthreats with limited IT resources. A flurry of groups have made similar arguments to the FCC, including more than 1,100 school districts like the Los Angeles Unified School District — which was hit in a ransomware attack this year — and the American Library Association, which says it represents 120,000 libraries.

The letter was signed by Fortinet, ENA by Zayo, Microsoft, Cisco and Hewlett-Packard Enterprise. The FCC did not respond to a request for comment.

This year, schools around the country have been hit in dozens of ransomware attacks. It can be particularly difficult for cash-strapped schools with small IT staffs to defend themselves against hackers willing to put sensitive student information online.

Bolsonaro challenges election loss in Brazil over voting machines

Brazilian President Jair Bolsonaro wants the country’s electoral authority — which has already declared that former president Luiz Inácio Lula da Silva won the country’s presidential election — to throw out ballots cast on voting machines from before 2020, the Associated Press’s David Biller and Carla Bridi report. If the votes were annulled, it would give Bolsonaro a reelection win, according to lawyer Marcelo de Bessa, who filed the request for Bolsonaro and his Liberal Party. 

“Liberal Party leader Valdemar Costa and an auditor hired by the party told reporters in Brasilia that their evaluation found all machines dating from before 2020 — nearly 280,000 of them, or about 59 percent of the total used in the Oct. 30 runoff — lacked individual identification numbers in internal logs,” Biller and Bridi write. “Neither explained how that might have affected election results, but said they were asking the electoral authority to invalidate all votes cast on those machines.”

“The bug hadn’t been known previously, yet experts said it also doesn’t affect results,” Biller and Bridi write. “Each voting machine can still be easily identified through other means, like its city and voting district, according to Wilson Ruggiero, a professor of computer engineering and digital systems at the Polytechnic School of the University of São Paulo,” they write.

Global cyberspace

Guadeloupe government fights 'large-scale' cyberattack (Associated Press)

Government scan

CISA releases updated infrastructure guide for local government, tribal defenders (The Record)

Encryption wars

The secret history of encrypted DMs on Twitter (Platformer)

Industry report

Trade organization urges OMB to ‘harmonize’ secure software development practices (NextGov)

Secure log off

Thanks for reading. See you next week.