Russia used “useful idiots” to meddle in the U.S. presidential election and “fellow travelers” opposed to European Union and NATO to influence elections in France and Germany, while Islamic terrorists used “agent provocateurs” to topple Spain’s government in 2004 and cast another pall over French voting, a cyber security expert told a congressional subcommittee Thursday.
That, in capsule form, is how cyber is changing how the public views elections, Clint Watts, of the Foreign Policy Research Institute, said at the Senate Armed Services cybersecurity subcommittee hearing.
So far in the case of the United States warding off this kind of activity, “far more is said than done.” He added it is a “human challenge, not technical ones” that needs to be addressed.
In the American and European elections, he said at the panel’s first public hearing since being formed the Russians created content, sent it out as if were “nuclear-powered and “pushed [it] in unison from many locations,” including “gray outlets” that appear to be legitimate sources of news. They also did all of this over long periods of time.
The goal in the American election was to plant doubt in the integrity of the voting, he said. He added there was no indication that actual votes were tampered with.
Later in answer to a question, Watts said the Russians “are picking parties and supporting them” in the United States and financially in Europe.
In cyber, not all is as it appears and its speed is instantaneous.
Rand Waltzman, senior information scientist at the RAND Corporation, described how an American special forces raid that successfully rescued a hostage and killed a number of terrorists in Iraq was turned into a terrorist propaganda victory. “Those guys film everything,” he said describing how they recorded the incident by placing the bodies on prayer rugs so it appeared that soldiers killed innocent civilians. The video was posted before the special forces soldiers returned to their base. “How did they manage to this so fast?” Their mobile phones.
This changed the story of what happened 180 degrees and put the United States in the position of having to refute the video rather than telling a story of rescue.
He said this kind of quick reaction by adversaries — misinformation, fake news — requires new thinking on cyber security. Instead of the traditional “denial of service” by causing a crash, they are applying “cognitive denial of service” — misinformation and propaganda — to achieve their ends.
“We’re hamstrung” by bureaucracy and directives in addressing the new “hyperkinetic world,” Michael Lumpkin, former acting under secretary of defense for policy, said. The United States’ government efforts in public diplomacy, public affairs and information operations have not been synchronized so that it becomes a credible source of information. It also needs to take the necessary steps “to make sure our information is accurate” before releasing it. “That has not always been the case.”
John Inglis, former deputy director of the National Security Agency, used his organization’s handling of metadata collection as an example. “You need to go first” to establish credibility and explain the value of what it is you are doing. “We went second. That made it more difficult to put it back in the bottle.”
Watts said one approach would be to have a rating non-profit, private agency, similar to Consumer Reports, vet every story on Twitter, Facebook and Google. He added Facebook and Google “are moving in that direction” to eliminate false news, but so far Twitter has not acted.
When asked how he rated RT, the Russian-sponsored media outlet, as a source of news, he said 70 percent was true, 20 percent was misleading and 10 percent false. Watts said he rated some American media outlets as falling in the same percentages of true, misleading and false.
A continuing difficulty in improving cyber security in and out of government is “how do you get people to share problems,” Waltzman said when they would prefer not to admit being hacked or even attacked. Lumpkin said more also needs to be done in training people how not to “provide access to adversaries unwittingly” and holding them accountable for security.
As for recruiting skilled cyber workers, “they’re motivated people out there” interested in the challenges they can find in government, rather than private sector, careers, Watts said. “Give them the space to be the tech savants they are.”