A New York Times article this month revealed a new tactic in the US war against election disinformation. US election officials had notified Russians suspected of involvement in online disinformation campaigns in the lead up to the mid-term elections that they were “on notice”, and that their work was being tracked.
The individuals concerned, members of oligarch funded hacking groups and Russian intel operatives, have not been publicly named. But they have been alerted to US knowledge of their activities, presumably in an attempt to stymie their attempts to influence US election outcomes. This is first known overseas cyber operation to protect American elections, and it marks a shift in US cyber campaigning on disinformation that likely has its basis in new offensive capabilities contained in the new White House Cybersecurity Strategy.
US intelligence agencies are reluctant and indeed legally unable to target their own citizens’ role in disinformation. This is a problem.
In July, the FBI released a report highlighting the scale of the disinformation campaign, following indictments of individuals involved in July and February this year. These earlier indictments follow the “name and shame” model which has its roots in the Obama administration’s response to the huge hacking operation against Sony in 2015. The tactic relies on the “named” individuals and their state sponsors taking heed of the threat of sanctions in order to mitigate their behaviour.
The activity revealed in the New York Times article is similar, but takes place overseas – in the mailboxes of Main Intelligence Directorate (GRU) trolls and their friends — and in private. This marks a significant shift because it targets individuals for their activity, but does not do so publicly. It is instead a kind of covert demonstration of power, targeting individuals to implicitly warn them, perhaps, of the risks of continuing their behaviour, rather than to shame them.
Proponents of the naming and shaming tactic and of this recent variation suggest it allows actors to engage without imminent danger of escalation. But both variations are also controversial.
On the original “naming and shaming” tactic, cybersecurity analysts worry that because the “naming” is public it requires evidence, which means the process risks revealing espionage sources and methods, compromising future operations. Beyond concerns about sources and methods, a recent FBI cybersecurity alert suggested that the “naming and shaming” technique was unlikely to work against states which were unable to be “shamed”, such as North Korea. Critics suggest Russia may be similarly immune.
But in his remarks accompanying the release of the July report, Deputy Attorney General Rosenstein argued for the technique, noting that accompanying the threat of severe economic sanctions and travel bans, it was targeted at and effective against individuals as well as the state agencies by which they were employed.
In many ways, the latest variation mitigates some of the concerns about revealing methods, and echoes Rosenstein’s emphasis on individuals and their incentives, rather than states. Alerting hackers and trolls individually rather than indicting them publicly removes the need to provide public evidence, but still carries a forceful hint of the long arm of US law enforcement. It is not yet clear whether this latest variation will have the desired effect.
Some analysts suggest that the combined efforts of the public and private sector have worked, with the scale of online disinformation surrounding the midterms, at least, less than expected, though many look ahead to the 2020 election as the real test of success. Reducing the scale of online disinformation will certainly help. Reducing the endless “botstorms” that swept content across the internet in 2016 can only be a good thing.
But, at least publicly, US intelligence agencies are reluctant and indeed legally unable to target their own citizens’ role in disinformation. This is a problem.
Disinformation campaigns abroad cannot account for the fact that consumption and propagation of disinformation appears to be weighted along partisan lines. Disinformation campaigns targeting outside influences can’t address those who create or amplify disinformation material within the United States. And they cannot account for the fact that most Americans still get their news from television, nor for the fact that they still trust network sources more than social media when it comes to news, whatever its veracity.
Stopping the disinformation cycle in this context depends on a citizenry and their representatives prepared and able to step outside an unbridled and unfettered media cycle, both online and off. This past weekend, the President of the United States, who doesn’t believe in the problem of Russian disinformation, approvingly tweeted a hashtag that has been linked to Russian bots. Disinformation indeed.