April 27, 2017
the Senate Armed Services Committee,
Subcommittee on Cybersecurity
on April 27, 2017.
Testimony of Rand Waltzman
Today, thanks to the Internet and social media, the manipulation of our perception of the world is taking place on previously unimaginable scales of time, space and intentionality.
That, precisely, is the source of one of the greatest vulnerabilities we as individuals and as a society must learn to deal with.
Today, many actors are exploiting these vulnerabilities. The situation is complicated by the increasingly rapid evolution of technology for producing and disseminating information.
For example, over the past year we have seen a shift from the dominance of text and pictures in social media to recorded video, and even recorded video is being superseded by live video.
As the technology evolves, so do the vulnerabilities.
At the same time, the
cost of the technology is steadily dropping, which allows more
actors to enter the scene.
This definition is applicable in military as well as civilian contexts.
(e.g. print media, radio, movies, and television) have been extended
to the cyber domain through the creation of the Internet and social
The ability to influence is now effectively "democratized," since any individual or group can communicate and influence large numbers of others online. Second, this landscape is now significantly more quantifiable.
Data can be used to measure the response of individuals as well as crowds to influence efforts. Finally, influence is also far more concealable. Users may be influenced by information provided to them by anonymous strangers, or even by the design of an interface.
In general, the Internet
and social media provide new ways of constructing realities for
actors, audiences, and media. It fundamentally challenges the
traditional news media's function as gatekeepers and agenda-setters.
Information environment security today (often referred to as cybersecurity) is primarily concerned with purely technical features - defenses against,
...and other attacks that typically take advantage of security vulnerabilities.
This view is too narrow, however.
For example, little attention has been paid to defending against incidents like the April 2013 Associated Press Twitter 6 hack in which a group hijacked the news agency's account to put out a message reading,
This message, with the weight of the Associated Press behind it, caused a drop and recovery of roughly $136 billion in equity market value over a period of about five minutes.
This attack exploited
both technical (hijacking the account) and psychosocial
(understanding market reaction) features of the information
The incident began when a young Hindu girl complained to her family that she had been verbally abused by a Muslim boy. Her brother and cousin reportedly went to pay the boy a visit and killed him. This spurred clashes between Hindu and Muslim communities.
In an action designed to fan the flames of violence, somebody posted a gruesome video of two men being beaten to death, accompanied by a caption that identified the two men as Hindu and the mob as Muslim.
Rumors spread like wildfire that the mob had murdered the girl's brother and cousin in retaliation over the telephone and social media.
It took 13,000 Indian
troops to put down the resulting violence. It turned out that while
the video did show two men being beaten to death, it was not the men
claimed in the caption; in fact, the incident had not even taken
place in India. This attack required no technical skill whatsoever;
it simply required a psychosocial understanding of the place and
time to post to achieve the desired effect.
Another core element of
the success of these two efforts was their authors' correct
assessment of their intended audiences' cognitive vulnerability - a
premise that the audience is already predisposed to accept because
it appeals to existing fears or anxieties. 8
A battalion of U.S. Special Forces Soldiers engaged a Jaish al-Mahdī death squad, killing 16 or 17, capturing 17, destroying a weapons cache, and rescuing a badly beaten hostage.
In the time it took for the soldiers to get back to their base - less than one hour - Jaish al-Mahdī soldiers had returned to the scene and rearranged the bodies of their fallen comrades to make it look as if they had been murdered while in the middle of prayer.
They then put out pictures and press releases in Arabic and English showing the alleged atrocity. The U.S. unit had filmed its entire action and could prove this is not what happened.
And yet it took almost
three days before the U.S. military attempted to tell its side of
the story in the media. The Army was forced to launch an
investigation that lasted 30 days, during which time the battalion
was out of commission. 9
This incident was one of the first clear demonstrations of how adversaries can now openly monitor American audience reactions to their messaging, in real time, from thousands of miles away and fine tune their actions accordingly.
Social media and the
Internet provide our adversaries with unlimited global access to
their intended audience, while the U.S. government is paralyzed by
legal and policy issues.
The current chief of the Russian General Staff, General Valery Gerasimov, observed that war is now conducted by a roughly 4:1 ratio of nonmilitary and military measures. 11
In the Russian view, these nonmilitary measures of warfare include economic sanctions, disruption of diplomatic ties, and political and diplomatic pressure.
The Russians see information operations (IO) as a critical part of nonmilitary measures.
They have adapted from
well-established Soviet techniques of subversion and destabilization
for the age of the Internet and social media.
For example, a glossary 12 of key information security terms produced by the Russian Military Academy of the General Staff contrasts the fundamental Russian and Western concepts of IO by explaining that for the Russians IO are a continuous activity, regardless of the state of relations with any government, while the Westerners see IO as limited, tactical activity only appropriate during hostilities. 13
In other words, Russia
considers itself in a perpetual state of information warfare, while
the West does not...
Because audiences worldwide rely on the Internet and social media as primary sources of news and information, they have emerged as an ideal vector of information attack.
Most important from the
U.S. perspective, Russian IO techniques, tactics and procedures are
developing constantly and rapidly, as continually measuring
effectiveness and rapidly evolving techniques are very cheap
compared to the costs of any kinetic weapon system - and they could
potentially be a lot more effective.
This relative lack of sophistication leaves them open to detection. For example, existing technology can identify paid troll operations, bots, etc.
Another key element of Russian IO strategy is to target audiences with multiple, conflicting narratives to sow seeds of distrust of and doubt about the European Union (EU) as well as national governments. These can also be detected.
The current apparent lack of technical sophistication of Russian IO techniques could derive from the fact that, so far, Russian IO has met with minimal resistance.
However, if and when target forces start to counter these efforts and/or expose them on a large scale, the Russians are likely to accelerate the improvement of their techniques, leading to a cycle of counter-responses.
In other words, an
information warfare arms race is likely to ensue.
Just as in the physical world, good maps are critical to any IO strategy. In the case of IO, maps show information flows.
Information maps must show connectivity in the information environment and help navigate that environment. They exist as computer software and databases. Information cartography for IO is the art of creating, maintaining, and using such maps.
An important feature of information maps is that they are constantly changing to reflect the dynamic nature of the information environment.
Because they are artificially intelligent computer programs, they can,
Information maps are
technically possible today and already exist in forms that can be
adapted to support the design and execution IO strategy.
Using information cartography, it is possible to map key Russian sources as part of Russian IO operations against a target state.
These sources might include:
Similarly, the mapping of target state receivers as part of Russian IO against the target state might include:
An effective information defensive strategy would be based on coordinated countering of information flows revealed by information maps. An effective strategy would include methods for establishing trust between elements of the defense force and the public.
The strategy also will
include mechanisms to detect the continuously evolving nature of the
Russian IO threat and rapidly adapt in a coordinated fashion across
all defense elements.
They present a careful and concise analysis of relevant psychological research results that should inform any information defensive strategy.
For example, they describe how propaganda can be used to distort perceptions of reality:
Here is what a typical offensive strategy against a target population might look like.
It consists of several steps:
Technologies currently exist that make it possible to perform each of these steps continuously and at a large scale.
However, while current technologies support manual application of the type of psychological research results presented by Paul and Matthews, they do not fully automate it.
That would be the next stage in technology development. These same technologies can be used for defensive purposes.
For example, you could use the techniques for breaking down communities described above to detect adversary efforts to push a narrative and examine that narrative's content.
The technology can help researchers focus while searching through massive amounts of social media data.
The center should be nonprofit and housed in a nonprofit, nongovernmental organization that has international credibility and close ties with,
It should have the following ongoing functions:
This center should be wholly financed for its first five years by the U.S. government until it can establish additional sources of funding from industry and other private support.
The center should also have the authority and funding for grants and contracts, since, apart from a group of core personnel employed by the center, many of the participants will be experts based at their home institution.
Although the Center as described would be a non-profit non-governmental organization, this funding model runs the risk of creating the appearance that the U.S. government has undue influence over its activity.
This could raise concerns about the credibility of the Center and the motives of the US Government.
An alternative would be to seek a combination of private
foundation funding and support from international non-partisan non-governmental organizations (e.g.
the United Nations).
We need a strategy to counter Russian, as well as others, information operations and prepare the United States organizationally for long-term IO competition with a constantly changing set of adversaries large and small.
It is said that where there is a will, there is a way. At this point, ways are available.
The question is, do we have the will to use them?