FACEBOOK KNOWS IT PROMOTES MISINFORMATION AND WILL CONTINUE TO DO SO WITHOUT GOVERNMENT REGULATION

Note: If you find my posts too long or too dense to read on occasion, please just read the bolded portions. They present the key points I’m making and the most important information I’m sharing.

Facebook’s promotion of low-quality, right-wing content and disinformation has been clearly documented. For example, in April 2021, The Daily Wire, a bigoted, sexist, anti-immigrant, far-right website that produces no original reporting and a low volume of articles had by far the highest distribution / engagement on Facebook. Second highest was the British tabloid, the Daily Mail, followed by Fox News. Four of the top six sources of content engagement on Facebook were right-wing publishers of disinformation. Credible media got much less engagement due to Facebook’s content promotion algorithm. For example, for April 2021: [1]

  • The Daily Wire (1st)          74.9 million Facebook engagements based on 1,385 articles
  • CNN (4th)                         23.1 million Facebook engagements based on 4,765 articles
  • NBC (7th)                         18.7 million Facebook engagements based on 2,596 articles
  • New York Times (8th)      18.6 million Facebook engagements based on 6,326 articles
  • Washington Post (14th)   12.3 million Facebook engagements based on 6,228 articles

Facebook’s reality, driven by its content promotion algorithm, is NOT the reality outside of Facebook. The Daily Wire is NOT more popular than CNN, NBC, the New York Times, and the Washington Post in the world outside of Facebook, let alone more popular than all four of them combined – and the almost 20,000 articles they publish per month compared to the less than 1,400 articles of The Daily Wire, none of which contain original reporting. Facebook promotes this alternative reality because it maximizes its profits. (See this previous post for more detail.)

The election-related disinformation that flourishes on Facebook is a global crisis. There are 36 national elections in countries around the globe in 2022 and many of them will be affected by disinformation on Facebook. Some may be affected to an even greater degree than what has occurred in the U.S., where a strong case can be made that disinformation on social media (with Facebook as a major if not the major player) led to the election of Trump in 2016.

Facebook (and its parent Meta) know how to stop the proliferation of disinformation and have done so for short periods of time at least twice. Meta refers to these instances as “break the glass” emergencies, but the emergency is not short-term and specific incident related, it’s long-term and endemic.

For five days after the 2020 U.S. national election, Facebook’s News Feed and other features operated very differently. Facebook adjusted its content promotion calculations, i.e., its algorithm, to more strongly promote credible news sources. By implication, it deprioritized or down ranked sources publishing disinformation and divisive or hateful content. Facebook did this to slow the spread of disinformation about election fraud and the presidential election being stolen. However, it was too little and too late, lasting only five days in the face of many months of spreading lies about the election. Nonetheless, during the life of the adjusted algorithm, Facebook engagement for credible sources such as the New York Times, CNN, and NPR spiked up and the engagement dropped for the extreme right-wing sources, as well as for hyper-partisan left-wing sources.

Some Facebook staff pushed to make the algorithm change permanent, but were overruled by Facebook’s senior management, including Joel Kaplan, a Republican operative who had previously intervened on behalf of right-wing sources and the Facebook algorithm that promotes them. Moreover, as Facebook returned to “normal” operation, Facebook also eliminated its civic-integrity unit.

After the January 6, 2021, insurrection at the U.S. Capitol, Meta and Facebook again “broke the glass” and instituted more preferential promotion for credible news sources, but again, only for a few days.

Many concerned people from across the globe and from all walks of life – from policy makers to advocates to marginalized people – are calling on Facebook (and other social media platforms, including Instagram [also owned by Facebook’s parent Meta]) to take three steps: [2]

  1. Be transparent: disclose business models, algorithms, and content moderation practices; and release internal data on the effects and harms of the current mode of operation. This would allow independent verification of whether content amplification and moderation are effectively combatting disinformation, protecting elections and democracy, and keeping people, especially young people and children, safe.
  2. Change content promotion algorithms: stop preferential promotion of the most incendiary, hateful, and harmful content to the most vulnerable audiences.
  3. Protect all people equally: bolster content moderation to protect all people, especially marginalized and vulnerable groups, in all countries and all languages.

Facebook and the other social media companies won’t do this on their own. Without government regulation, they will continue to put profits before social responsibility . We must take steps to reduce the disinformation and divisiveness spread by Facebook and other social media platforms. Doing so is critical to the well-being of all of us, especially our children, and to the well-being of society and democracy. Government regulation clearly has to be an important part of the answer.

I encourage to you contact President Biden and your Congress people. Tell them you want strong regulation of Facebook and other social media platforms, including requirements to implement the three steps outlined above. (See this previous post for more on fixes for the harmful behavior of Facebook and other social media platforms.)

You can email President Biden at http://www.whitehouse.gov/contact/submit-questions-and-comments or you can call the White House comment line at 202-456-1111 or the switchboard at 202-456-1414.

You can find contact information for your U.S. Representative at  http://www.house.gov/representatives/find/ and for your U.S. Senators at http://www.senate.gov/general/contact_information/senators_cfm.cfm.

[1]      Legum, J., 5/6/21, “Facebook’s problem isn’t Trump – it’s the algorithm,” Popular Information (https://popular.info/p/facebooks-problem-isnt-trump-its)

[2]      Change the Terms Coalition, retrieved from the Internet 5/2/22, https://www.changetheterms.org/

FACEBOOK KNOWS IT PROMOTES MISINFORMATION AND DOES SO TO MAXIMIZE PROFITS

Note: If you find my posts too long or too dense to read on occasion, please just read the bolded portions. They present the key points I’m making and the most important information I’m sharing.

Facebook promotes misinformation. It knows this is harmful, it knows how to fix it, but it does it anyway – for the sake of profits. This is true across the full range of content from racist and misogynistic disinformation to Russian propaganda. It is true globally and across languages with the worst abuses probably occurring outside the U.S. and in languages other than English.

Facebook undermines democracy and promotes divisiveness and hate (as do other social media platforms such as Instagram, TikTok, Twitter, and YouTube) based on conscious decisions by senior management. (See this previous post on the harm being done by Facebook and other social media platforms.)

The reason that Facebook (and other social media platforms) refuse to effectively control (i.e., “moderate”) content is that profits come first. In 2021, Facebook made $39.4 billion in profits primarily from advertising exquisitely targeted to its almost three billion users.

Perhaps the ultimate confirmation of this is that Facebook and Instagram (both owned by Meta) have been blocked in Russia after the invasion of the Ukraine, but Facebook and Instagram are still publishing and promoting Russian propaganda around the world. Although they claim to be moderating disinformation from Russia, 80% of disinformation about U.S. biological weapons has been posted without being flagged or blocked. [1]

Currently, Facebook’s only incentives to moderate the content it allows and promotes are to avoid government regulation and to not be so offensive that advertisers pull their ads. In an effort to address concerns about content moderation – which admittedly sometimes requires making difficult, judgmental decisions that will be unpopular with some people – Facebook created an “Oversight Board” in 2019 to review its moderation decisions. Facebook claims the Board is independent and recruited an impressive set of individuals to serve on it. [2]

Roughly a year ago, the Board issued its first major report, a 12,000-word review of Facebook’s decision to indefinitely suspend Donald Trump from Facebook. The Board affirmed the decision to suspend Trump, but stated that it was inappropriate to make the suspension indefinite.

The Board said Facebook should either make the suspension permanent or set a specific length of time for it. The Board noted that Facebook management was seeking to dodge responsibility and that it should impose and justify a specific penalty.

The Board also posed questions to Facebook management whose answers it felt were essential to enabling it to do its oversight job. However, Facebook management refused to answer questions and failed to provide information on:

  • The extent to which the Facebook’s design decisions, including algorithms, policies, procedures, and technical features, amplified Trump’s posts.
  • Whether an internal analysis had been done of whether such design decisions might have contributed to the insurrection at the Capitol on January 6, 2021.
  • Content violations by followers of Trump’s accounts.

The Board noted that without this information it was difficult for it to assess whether less severe measures, taken sooner, might have been effective in solving the problem of Trump’s violations of Facebook’s standards.

As the Board suggests, the central issue is not simply Trump’s posts, but Facebook’s amplification of those posts and others like them. In other words, the real issue is the nature of Facebook’s content promotion algorithm and whether it promotes posts from Trump and from people expressing views like or in support of Trump’s posts. However, the Board’s jurisdiction, as defined by Facebook management, excludes oversight of Facebook’s algorithm and business practices. Furthermore, the Board has no power to compel Facebook management to abide by its decisions and recommendations – or even to simply answer its questions. It will be effective only to the extent that Facebook management voluntarily cooperates, which would mean reducing profits – not something they will do voluntarily.

Although Facebook founder and now chief executive of its parent Meta, Mark Zuckerberg, once stated: “At the heart of these accusations is this idea that we prioritize profit over safety and well-being. That’s just not true.” The data clearly show that this is true – and hardly anyone believed Zuckerberg when he said it wasn’t.

My next post will provide documentation of Facebook’s promotion of disinformation and divisiveness, as well as its conscious decision to do this and its ability – and occasional willingness – to change this. The post will also include steps that can and should be taken to force Facebook and other social media platforms to change their behavior.

[1]      Benavidez, N., & Coyer, K., 4/17/22, “Facebook ought to be protecting democracy worldwide every day,” The Boston Globe

[2]      Legum, J., 5/6/21, “Facebook’s problem isn’t Trump – it’s the algorithm,” Popular Information (https://popular.info/p/facebooks-problem-isnt-trump-its)

FIXES FOR INSTAGRAM AND FACEBOOK

Note: If you find my posts too long or too dense to read on occasion, please just read the bolded portions. They present the key points I’m making and the most important information I’m sharing.

The evidence that Facebook and Instagram are harmful, especially to teens and young people, goes back to 2006 and has been growing consistently more definitive over the last fifteen years. (See my previous post for more detail.) The pressure from the public, especially parents, and most recently from Congress to address this problem is mounting.

In response, in mid-March, Meta Platforms (the new parent corporation for Facebook and Instagram) made an announcement of some new and coming parental supervision tools for Instagram. Note that teens will have to consent to their parents’ use of supervision tools! Furthermore, teens will know what their parents are seeing about their account and activity. Rather than building in universal safety controls, Meta claims it wants to enable parents to control teens’ social media activity because parents know their teens best and teens have different maturity levels. This sounds to me like a classic blame the victim – and the victim’s parents – strategy.

Moreover, Meta knows that many parents aren’t tech savvy and/or won’t have the time and energy to effectively control teens’ social media activity. It also knows that teens tend to be far more tech savvy than their parents and will often be able to evade parental controls. It could easily institute universal strategies to eliminate or greatly reduce the potential for harm from its platforms. Finally, it knows that teens’ vulnerability changes over time and that having harm protections in place by default would be much more effective than relying on parents to recognize and quickly react to teens’ changing vulnerability.

Here’s what Meta announced about new parental supervision tools for Instagram: [1]

  • A Family Center providing information to teach parents how to talk about social media with teens.
  • An ability for teens to invite a parent to supervise their social media account.
  • Parental ability to see how much time their teens are spending on Instagram, whom they are following, who is following them, and when they complain to Instagram about another user. However, a parent will have to have an Instagram account themselves to do so.
  • Future plans for:
    • Parental ability to limit when teens can use Instagram (e.g., not during school or after bedtime),
    • Blocking of access to inappropriate content by parents and/or based on ratings by the International Age Rating Coalition, and
    • Parental supervision tools for its Oculus Quest virtual reality program, where parents, experts, and the British government have raised concerns about exposure to violence and harassment.

Meta acknowledged in its statement that many parents are not on social media and are not tech savvy – meaning that these parental controls are often meaningless. Furthermore, many of these controls, including the future plans, seem like controls that should have been put in place years ago and before these products ever went on the market, i.e., they’re too little too late.

A bipartisan bill has been introduced in Congress, the Kids’ Online Safety Act (KOSA), requiring Facebook, Instagram, and other social media platforms to provide parents with more control over their children’s online interactions. The bill reflects months of congressional investigations and a history of failures by the social media platforms to respond to their documented harmful effects on young users. [2] Congress last passed legislation to protect children when they’re online, including their privacy, 24 years ago. [3] Needless to say, much has change since then and the current business model of Facebook, Instagram, and the Internet as a whole is simply not healthy for kids and teens.

KOSA would require social media platforms to provide “easy-to-use” tools to limit screen time, protect personal data, and keep kids under 16 safe. It holds the online platforms accountable by establishing an obligation for them to put the interests of children first and to make safety the default. It requires them to prevent the promotion of bullying, sexually abusive behavior, eating disorders, self-harm, and other harmful content. The bill mandates an annual independent audit of risks to minors, steps taken to prevent harm, and compliance with KOSA. [4]

The bill would require the social media platforms to be transparent about how they operate. It would require giving parents the ability to disable addictive product features and modify content recommendation algorithms to limit or ban certain types of content. It would require the social media platforms to provide researchers and regulators with access to company data to monitor and investigate actual and potential harm to teens and children. This would allow parents and policymakers to assess whether the online platforms are actually taking effective steps to protect children.

The root of the problems with social media platforms is that there is greater profit in promoting unsafe behaviors, creating animosity, encouraging extremism, and fueling pseudo-science than there is in creating a safe place for civil discourse based on facts. Our system of capitalism and the deference to and alignment of our policymakers with large corporations has allowed this business model that commodifies and exploits human attention to explode unchecked. In the world of social media, you, your time and attention span, and your clicks are the products that are being sold – to advertisers. This means the social media business is a race to the bottom; an enterprise based on stimulating, titillating, and capturing our most base emotional and subconscious responses. Social media’s ability to do harm to individuals, our society, and our democracy is well-documented and endemic to the current business model. Without strong and effective public oversight and control, the social media platforms will continue to inflict substantial harms.

I urge you to contact President Biden, as well as your U.S. Representative and Senators, to let them know that you support the Kids’ Online Safety Act and additional actions to regulate social media platforms.

You can email President Biden at http://www.whitehouse.gov/contact/submit-questions-and-comments or you can call the White House comment line at 202-456-1111 or the switchboard at 202-456-1414.

You can find contact information for your U.S. Representative at  http://www.house.gov/representatives/find/ and for your U.S. Senators at http://www.senate.gov/general/contact_information/senators_cfm.cfm.

[1]      Peng, I., 3/17/22, “Meta adds parental tools to Instagram,” The Boston Globe from Bloomberg News

[2]      Zakrzewski, C., 2/17/22, “Senators introduce children’s online safety bill after months of hearings,” The Boston Globe from the Washington Post

[3]      Monahan, D., 3/22/22, “Diverse coalition of advocates urges Congress to pass legislation to protect kids and teens online,” Fairplay (https://fairplayforkids.org/march-22-2022-diverse-coalition-of-advocates-urges-congress-to-pass-legislation-to-protect-kids-and-teens-online/)

[4]      Blumenthal, Senator R., retrieved 2/16/22 from the Internet, “Blumenthal & Blackburn introduce comprehensive Kids’ Online Safety legislation,” (https://www.blumenthal.senate.gov/newsroom/press/release/blumenthal-and-blackburn-introduce-comprehensive-kids-online-safety-legislation)

THE HARMS OF INSTAGRAM, FACEBOOK, AND SOCIAL MEDIA

Note: If you find my posts too long or too dense to read on occasion, please just read the bolded portions. They present the key points I’m making and the most important information I’m sharing.

The news that Facebook and Instagram are harmful, especially to teens and young people, is not new. In 2006, a college professor, Joni Siani, whose class on Interpersonal Communications had access to Facebook a year before the public, found almost immediately that the Facebook experience was stressful and depressing for her students. Her class effectively became a Facebook group therapy session. That’s the beginning of a story I’ll come back to in a minute. [1] (By the way, Facebook and Instagram are now part of a new corporate entity, Meta Platforms. This name change seems to me to be an effort to obfuscate responsibility and accountability for the harms caused by Facebook and Instagram.)

In 2019, the docudrama The Social Dilemma came out, which highlights the manipulation and harms of social media. I encourage you to watch the film (on Netflix) or at least watch the 2 ½ minute trailer that’s available on the website. I urge you to explore the website; there’s a wealth of information under the button “The Dilemma” and a variety of ways to pushback under the “Take Action” button.

The Social Dilemma was created by the Center for Humane Technology, which was founded in 2013 by a Google design ethicist. The Center’s website provides terrific resources for understanding the effects of social media platforms and how to use them intelligently. It has modules for parents and educators on how to help teens be safe, smart users of social media.

Last fall, a former Facebook employee, Frances Haugen, blew the whistle on Facebook’s practices with testimony to Congress, an appearance on 60 Minutes, and a trove of inside documents that the Wall Street Journal reported on extensively. (Blogger Whitney Tilson in one of her posts provides links to Haugen’s interview on 60 Minutes and to the Wall St. Journal’s investigative articles based on documents provided by Haugen. Tilson also wrote a letter to Facebook COO Sheryl Sandberg that’s part of her blog post.)

Haugen documented that Facebook is a threat to our children and our democracy. Furthermore, she made it clear that Facebook knows this but fails to take steps to reduce the harm because doing so would hurt profits. I previously wrote about the threats of Facebook to our children and our democracy here and what can be done about them here.

Instagram, a Facebook partner under the Meta Platforms umbrella, says it only allows users on its platform who are 13 or older, but its age verification tools are weak. Its algorithm (i.e., its decision-making processes) for what information to direct to individual users has been shown to promote harmful content to youth who are particularly susceptible to such messages, such as material promoting eating disorders. Instagram was developing a separate product targeting children under 13 until criticism and pushback from parents and child advocacy organizations caused it to announce that it had paused (but not terminated) development.

A resource for responding to social media’s threats to children is an organization called Fairplay and its website. Formerly the Campaign for a Commercial Free Childhood, Fairplay has been fighting for years to protect kids from the manipulation and harm from commercial advertising and social media platforms. If you want to get updates from Fairplay, click on “Connect” under the “About” button to sign-up. Fairplay helps parents manage kids’ screen time and provides alternatives to screen time. It sponsors a Screen-free Week every spring. It has established the Screen Time Action Network to support parents concerned about the effects of screen time and social media platforms on their children.

Returning to the story of that college professor, Joni Siani, who in 2006 saw the harm that Facebook did to her college students, in 2013, she wrote a book about the love-hate relationship between users and their digital devices titled Celling your soul: no app for life. And she started an organization called No App for Life.

In 2021, Siani and No App for Life partnered with Fairplay and its Screen Time Action Network to create three podcasts titled The Harms. They present three stories of parents who lost a child due to social media platforms’ harmful impacts on their children. One describes the ruthless assaults of social media “friends” that led to a suicide. One describes how “fun” online challenges can lead to horrible results. And one describes how drug dealers sell their products on social media, even posting ads amongst all the other ads seen on social media constantly. These horrific examples are from strong families who were trying to do everything right in managing their children’s social media activities but were overwhelmed by the power of social media.

My next post will summarize Meta Platforms recent announcement of new and planned parental supervision tools, as well as the bipartisan Kids Online Safety Act, which has been introduced in Congress.

[1]      Rogers, J., & Siani, J., 3/6/22, “What do I do now? Unthinkable stories Big Tech  doesn’t want to tell,” Fairplay’s Screen Time Action Network and No App for Life Podcasts (https://fairplayforkids.org/harms-podcast/)

STOPPING CYBERCRIME AND CIVILIAN HARM FROM CYBERWARFARE

Note: If you find my posts too long or too dense to read on occasion, please just read the bolded portions. They present the key points I’m making and the most important information I’m sharing.

This is the final post of my nine-part series on computer hacking and cyberwarfare based on New York Times cybersecurity reporter Nicole Perlroth’s outstanding book, This Is How They Tell Me the World Ends. [1] These posts have summarized the book’s information on the scale of computer hacking, cybercrime, and cyberwarfare; and have shared a number of examples. The previous post provided an overview of steps that can be taken to counter cybercrime at the personal, organizational, and governmental levels. This post discusses steps that are being taken to counter ransomware and to stop cyberwarfare from harming civilians.

The Biden Administration is working to reduce the frequency and profitability of ransomware attacks. It is disrupting the infrastructure ransomware hackers use to collect their ransom. It has put sanctions on cryptocurrency exchanges that are frequently used for ransomware payments and warned U.S. companies not to pay ransomware. In June, it was able to recover over half of the $4.4 million in cryptocurrency that Colonial Pipeline had paid to its ransomware attacker. [2] The U.S. Department of Justice (DOJ) reports that ransomware attacks have cost the U.S. almost $600 million in the first six months of 2021.

In November, the DOJ announced that a Ukrainian hacker had been arrested and charged in connection with a group of ransomware attacks. It also announced the recovery of $6.1 million from ransomware attacks by a Russian who was charged separately and is listed as wanted by law enforcement. In December, the head of the U.S. Cyber Command and the Director of the National Security Agency announced that the military had taken offensive actions against ransomware attackers who had targeted critical infrastructure. [3] These actions represent the strongest U.S. government response to ransomware attacks to-date and reflect a marshalling of resources across multiple agencies. European law enforcement officials also announced that seven ransomware hackers have been arrested in Europe since February. [4] Recently, a multi-national effort succeeded in shutting down, at least temporarily, a major Russian ransomware entity. In October, the Biden Administration convened over 30 countries to develop plans to combat ransomware attacks around the globe. [5]

Back in April, the Biden Administration announced tough sanctions on Russia for previous cyberattacks and, in June, President Biden warned Russian President Putin that future Russian cyberattacks would be grounds for additional retaliation.

Three former U.S. cyber intelligence agency employees, who had been hired by the United Arab Emirates (UAE) to conduct cyberespionage, pleaded guilty in September to cyber hacking and violating export laws by transferring military cyber technology to a foreign government. The DOJ is deferring criminal prosecutions of them if they pay hundreds of thousands of dollars in fines and abide by the terms of a three-year settlement agreement. They are also prohibited from ever receiving a U.S. security clearance. [6] Numerous former U.S. cyber intelligence employees have been lured to work for private companies and foreign governments to do cybersecurity or cyberespionage. Many do legitimate cybersecurity work but more than a few have done illegal or at least unethical work for their new employers.

In October, Biden’s Commerce Department announced a rule that limits the export and sale of hacking software to authoritarian and repressive governments. This effort is difficult for many reasons, in part because it needs to avoid inhibiting cybersecurity collaboration among countries and among companies located in different countries. Furthermore, some private companies and some other countries don’t share this goal of keeping hacking tools out of the hands of such governments. For example, the Israeli company NSO Group (with suspected but unproven connections to the Israeli government) sells spyware that can be hacked onto an individual’s phone, allowing the hacker to track the person’s location and monitor their communications. Governments and others have used it to track dissidents, activists, lawyers, politicians, and journalists. Saudi Arabia used it to track associates of Jamal Khashoggi, the journalist that it murdered. Most recently, it was identified as being used to spy on Palestinians. [7]

For 25 years, the U.S. and 42 other countries have blocked the sale of weapons and military technology to authoritarian and repressive governments. The Wassenaar Agreement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, originally signed in 1996, sets voluntary export controls on a list of weaponry. The list of controlled products is updated every December and cyber hacking and surveillance products were added to the list in 2013. However, the U.S. did not adopt controls on these products until now. This new Commerce Department rule will allow the U.S. to coordinate efforts to control the export of hacking tools with the 42 other countries that are part of the Wassenaar Agreement. [8]

Also on the international front, there have been calls for a treaty banning cyberwarfare from targeting civilians and civilian infrastructure, similar to the Geneva Convention for traditional warfare. Brad Smith, Microsoft’s president, called for such a treaty in 2017 after vulnerabilities in Microsoft software had been the vehicle for Russia’s devastating cyberattack on Ukraine’s civilian infrastructure and for North Korea’s worldwide ransomware attacks. Noting that the 1949 Geneva Convention protects civilians during traditional warfare, he called for a new convention to protect civilians from cyberwarfare – from attacks on hospitals, electric power grids, elections, and the intellectual property of private parties. Previously, after the 2010 U.S. attack on Iran’s uranium enrichment facility, European, Russian, and some U.S. officials had also called for such a treaty.

However, the U.S. has not pursued such a treaty, at least in part because it has been the world’s dominant cyber superpower. Nonetheless, U.S. businesses and civilians, as the most Internet-dependent ones in the world, are bearing the brunt of escalating cybercrime and cyberwarfare. Furthermore, the U.S. has continued to engage in its own cyberwarfare, including building its capacity to attack civilian infrastructure such as the Russian electric power grid.

I urge you to contact President Biden and thank him for his efforts to stop ransomware attacks and to keep cyber hacking tools out of the hands of authoritarian and repressive governments. Ask him to continue this work and to do more to protect civilians from cyberwarfare. You can email President Biden at http://www.whitehouse.gov/contact/submit-questions-and-comments or you can call the White House comment line at 202-456-1111 or the switchboard at 202-456-1414.

I also urge you to let your U.S. Representative and Senators know that you support strong steps to reduce ransomware attacks and the potential harm to civilians from cyberwarfare. You can find contact information for your U.S. Representative at  http://www.house.gov/representatives/find/ and for your U.S. Senators at http://www.senate.gov/general/contact_information/senators_cfm.cfm.

[1]      Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021.

[2]      Perlroth, N., 10/25/21, “A rare win for the good guys in cat-and-mouse game of ransomware,” The Boston Globe from the New York Times

[3]      Barnes, J. E., 12/6/21, “US military has acted against ransomware groups, NSA chief says,” The Boston Globe from the New York Times

[4]      Tucker, E., & Suderman, A., 11/9/21, “US charges 2 suspected ransomware operators,” The Boston Globe from the Associated Press

[5]      McLaughlin, J., 10/13/21, “White House brings together 30 nations to combat ransomware,” National Public Radio (https://www.npr.org/2021/10/13/1045248842/white-house-brings-together-30-nations-to-combat-ransomware)

[6]      Mazzetti, M., & Goldman, A., 9/15/21, “Former intelligence officers admit crimes,” The Boston Globe from the New York Times

[7]      Kingsley, P., & Bergman, R., 11/9/21, “Spyware aimed at activists, group says,” The Boston Globe from the New York Times

[8]      Nakashima, E., 10/21/21, “US aims to limit sale of hack tools to dictators,” The Boston Globe from the Washington Post

STOPPING CYBERCRIME AT THE PERSONAL, ORGANIZATIONAL, AND GOVERNMENTAL LEVELS

Note: If you find my posts too long or too dense to read on occasion, please just read the bolded portions. They present the key points I’m making and the most important information I’m sharing.

This is the first of my final two posts (out of nine total) on computer hacking and cyberwarfare. These two posts discuss steps that can be taken to counter cybercrime at the personal, organizational, and governmental levels, as well as efforts to stop cyberwarfare from harming civilians. This series of posts presents my overview of New York Times cybersecurity reporter Nicole Perlroth’s outstanding book, This Is How They Tell Me the World Ends. [1] These posts have summarized the book’s information on the scale of computer hacking, cybercrime, and cyberwarfare; shared a number of examples; and the previous post provided an overview of Russia’s continuing attacks on the U.S., including on the 2018 and 2020 elections.

It is clear today that passwords, antivirus software, and firewalls will not protect a computer from reasonably sophisticated cyber hacking. With entities willing to pay over a million dollars for a vulnerability in a widespread piece of basic software, such as Microsoft Windows, Apple operating systems, Adobe, Java, and countless others, cybersecurity needs to be designed into these basic pieces of software and to have many layers of protection. Traditionally, basic software has only been tested to make sure it works, not to identify and eliminate vulnerabilities that hackers could use. This needs to change. When complex software is everywhere, even in cars, software vulnerabilities are ubiquitous and our whole mindset about cybersecurity must change to include preventing vulnerabilities, as well as protecting computers when they are attacked.

Individuals and businesses should assume that passwords alone are no longer effective protection from serious hackers because passwords are likely to have been stolen in one of the hacks of a large customer database or some other way. Two-factor or multi-factor authorization (2FA or MFA) is the best basic defense against cyber hacking and cybercrime. This is the process where when one logs into a system, a one-time code is sent by phone text or email that has to be entered to gain access. Turn on 2FA wherever it’s available and for any function where security is important, such as banking and financial transactions.

Voting simply cannot be safely conducted on-line according to Perlroth. She notes that as-of the date of her book, there was not a single on-line voting system that hackers had not been able to penetrate – often quite quickly and easily. [2] Voter registration databases and other election support systems need to be rigorously protected and audited to ensure their security.

While the Trump Administration largely ignored cybercrime and civilian harm from cyberwarfare, the Biden Administration has already been aggressive in tackling them. The U.S. Cybersecurity and Infrastructure Security Agency has recently announced that it is working to develop a national cybersecurity strategy. It noted that public-private collaboration will be essential as critical infrastructure must be secured whether it is in private or public hands.

The U.S. needs to establish strong mandates for cybersecurity for public entities and private companies that are part of critical infrastructure. The U.S. lags far behind other countries in doing this. Norway in 2003 and Japan in 2005, for example, implemented national cybersecurity strategies that have made them among the safest countries in the world in terms of cyberattacks.  [3]

However, Congress has repeatedly failed to pass legislation that would establish even basic standards for companies operating critical infrastructure such as hospitals, fuel pipelines, the electric power grid, dams, and nuclear power plants. Such standards would, for instance, require operators of critical infrastructure to use up-to-date, well-maintained software; to change passwords regularly; to use two-factor authorization for system access; and to conduct regular, sophisticated tests of their protections against hackers.

The U.S. Chamber of Commerce and other business leaders have argued against even voluntary standards, claiming they are too onerous. Current events are proving that NOT having such standards and NOT having solid cybersecurity in place are far too dangerous and too costly for businesses and customers.

The Biden Administration is urging all companies to enhance their cybersecurity practices, including requiring two-factor authorization for employees to log in to computer systems. [4] It also needs to educate the American public about cybersecurity and about on-line disinformation campaigns; these need to be part of our national consciousness.

Public and private entities should be required to report and make public successful cyberattacks so:

  • Customers and the public can be appropriately warned and protected,
  • The entities have an incentive to fix problems and prevent successful future attacks, and
  • Appropriate law enforcement and national security responses can occur.

On the flip side, when U.S. intelligence agencies become aware of a vulnerability in computer software or hardware, they should be required to inform the product’s vendor and work with it to eliminate the vulnerability.

The private sector is not only stepping up its defensive measures against hacking but also going after hackers directly, rather than leaving this work to law enforcement as has been the practice. Google is suing two Russia-based individuals for using a massive network of hacked computers for a range of criminal activity. It is also working with other private companies to disable the computers used by the hackers. The hacked network has been tracked by law enforcement and cybersecurity experts for years and is estimated to include about a million Microsoft Windows-based computers around the globe. In cleaning up the damage that has been done and the vehicles the hackers used to spread their harmful software, Google has removed from the Internet about 63 million Google Docs, more than 1,000 Google accounts, and over 900 Google Cloud projects. Microsoft has also been active in this direct action, deleting from the Internet websites used by a China-based hacking group. [5]

I urge you to contact President Biden and thank him for his work to improve cybersecurity, including his efforts to create and implement a national cybersecurity plan. Ask him to continue this work and to do more to require private entities operating critical infrastructure to strengthen their cybersecurity. You can email President Biden at http://www.whitehouse.gov/contact/submit-questions-and-comments or you can call the White House comment line at 202-456-1111 or the switchboard at 202-456-1414.

I also urge you to let your U.S. Representative and Senators know that you support strong steps to improve cybersecurity, including requiring private businesses, especially those operating critical infrastructure or large aggregations of consumer data, to take meaningful steps to improve their cybersecurity. You can find contact information for your U.S. Representative at  http://www.house.gov/representatives/find/ and for your U.S. Senators at http://www.senate.gov/general/contact_information/senators_cfm.cfm.

My next post will provide an overview of the Biden Administration’s efforts to combat ransomware attacks, address cybersecurity internationally, and protect civilians from harm from cyberwarfare.

[1]      Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021.

[2]      Perlroth, N., 2021, see above, page 397

[3]      Perlroth, N., 2021, see above, page 398-399

[4]      De Vynck, G., 9/22/21, “Treasury’s fight against hackers targets crypto payments,” The Boston Globe from the Washington Post

[5]      De Vynck, G., 12/8/21, “Google sues hackers tied to vast ring of infected devices,” The Boston Globe from the Washington Post

CYBERWARFARE: RUSSIA’S ATTACKS ON THE 2018 AND 2020 ELECTIONS AND THE TRUMP ADMINISTRATION’S RESPONSE

Note: If you find my posts too long or too dense to read on occasion, please just read the bolded portions. They present the key points I’m making and the most important information I’m sharing.

This is my seventh post on computer hacking and cyberwarfare and part of my overview of New York Times cybersecurity reporter Nicole Perlroth’s outstanding book, This Is How They Tell Me the World Ends. [1] My first post summarized the book’s information on the scale of computer hacking, cybercrime, and cyberwarfare; the 2017 North Korean ransomware attack; and the 2009 U.S. National Security Agency (NSA) cyberwarfare attack on Iran. My second post covered the leaks from the NSA, electronic surveillance in the U.S., and the use of encryption to protect privacy. My third post described Russia’s cyberattacks on Ukraine. The fourth and fifth posts described China’s cyberattack on Google and Google’s response. The sixth post described Russia’s cyberattack on the 2016 U.S. election.

This post summarizes Russia’s attacks on the 2018 and 2020 U.S. elections and the responses of the Trump and Biden administrations.

Under the Trump Administration, concern for cyberwarfare and cybercrime seemed absent. For example, the Obama Administration had reached an agreement with China to stop its industrial espionage, however this ended when Trump began his very public trade war with China. Similarly, the Iran nuclear agreement worked to keep Iranian hackers at bay. Trump’s voiding of the nuclear deal resulted in levels of Iranian cyberattacks that were unprecedented. Furthermore, as Trump backed off both sanctions and rhetoric against Russia for its hacking and election interference, Russia continued to hack our election systems and infrastructure, as well as to spread division, distrust, and chaos through social and other media. Even Saudi Arabia, with no sanctions from the Trump Administration for its murder of Washington Post journalist Khashoggi, was emboldened to engage in cyber espionage targeting the U.S. Cybercriminals engaged in ransomware attacks on cities, towns, and other infrastructure with regularity – and with little response from the Trump Administration.

By 2018, Trump had eliminated the position of White House cybersecurity coordinator and had made it clear that he never wanted to hear anyone in his administration, including the director of Homeland Security, mention election interference or election security. As the 2018 elections approached, the Russian social media propaganda agency, the Internet Research Agency (IRA), was engaging in sophisticated election disinformation on social media. In the six months before the elections, it spent at least $10 million on its efforts to influence the U.S. elections and to sow division, distrust, and chaos.

Fortunately, in September 2018, Trump had ceded decision-making for offensive cyberattacks to the new director of the NSA, General Paul Nakasone, who also served as the head of the Pentagon’s Cyber Command. John Bolton, in his brief tenure as Trump’s national security advisor, had developed a new cyber strategy that gave the Cyber Command increased flexibility. So, in October, the Cyber Command posted warnings directly to the IRA’s computers threatening indictments and sanctions if Russia continued to meddle in the 2018 elections. Then, on Election Day, the Cyber Command shut down the Russian hackers’ computer servers and kept them offline for several days as votes were tabulated and certified. No one knows what might have happened if the Cyber Command had not done this, but the 2018 election results were processed without any serious glitches.

“By 2020, the U.S. was in the most precarious position it had ever been in the digital realm,” according to Perlroth. [2] More than 1,000 local governments had been hit with ransomware attacks over the previous year. Russian cybercriminals were getting billions of dollars because local governments and their insurers calculated that it was cheaper to pay the ransom than to have to recreate computer systems and data. Cybersecurity experts worried that the ransomware attacks were a smokescreen to probe municipal computers and develop the capability to disrupt voter and election related systems during the 2020 election. Some of these experts also thought the election hacking and interference in 2016 and 2018 might be trial runs for more extensive efforts planned for the 2020 elections. Apart from the elections, in September 2020, over 400 hospitals were the subject of ransomware attacks, coming, of course, at the worst possible time – in the middle of the pandemic.

In Congress, a number of efforts were made to address concerns about election security, including bills requiring paper trails for every ballot and rigorous post-election audits, banning voting machines from being connected to the Internet, and mandating that campaigns report contacts with foreign entities. These were largely uncontroversial security measures that generally had bipartisan support and were deemed critical by election integrity experts. However, Senator Mitch McConnell, the Republican Majority Leader, refused to let any election security bill move forward toward passage. Only after critics took to calling him “Moscow Mitch” did he relent and begrudgingly allow approval of $250 million to help states protect election infrastructure – a tiny amount of money when split among the 50 states (only $5 million each on average), especially given the seriousness of the threats their election systems were facing.

In early 2020, U.S. intelligence officials warned the White House and Congress that Russian hacking and election interference were working hard at promoting Trump’s re-election. Trump was so incensed that this information had been shared with Democrats that he fired his acting director of national intelligence and publicly dismissed the intelligence findings as misinformation. Beginning in August, Trump’s new head of intelligence refused to provide in-person briefings on election interference to Congress. The U.S. intelligence agencies had always been non-partisan, but the Trump administration increasingly manipulated their actions and statements to serve their political interests. Meanwhile, Microsoft revealed that in one two-week period Russian hackers had attempted to access 6,900 personal email accounts of politicians, campaign workers, and consultants of both parties.

During the 2020 election cycle, the Russians didn’t have to create “fake news” to foster distrust, division, and chaos; Americans, including President Trump, were providing plenty of such content on a daily basis. The Russian trolls simply worked to amplify, among other things, the vaccination debate, the lockdown protests, the misinformation about the benefits of mask wearing, and the blaming of the racial justice protests and any violence that occurred on violent, left-wing radicals.

As the 2020 election approached, the Cyber Command, the Cybersecurity and Infrastructure Security Agency (CISA) in the Department of Homeland Security, the NSA, and the FBI worked diligently to protect election infrastructure in the states and nationally, as well as to actively counterattack. Many of the officials involved figured it was likely that Trump would fire them for their hard work as soon as the election was over, but they persisted in doing their jobs. On Election Day, CISA officials briefed reporters every three hours and, in the end, Election Day came and went with no evidence of fraud, outside efforts to alter vote tallies, or even a ransomware attack.

Perlroth notes that while she would like to credit the work of our cybersecurity agencies for the uneventful Election Day, she feels that the 2020 election went as smoothly as it did, not because the Russians were deterred, but because they (and specifically Russian President Putin) concluded that their work here was done and had been successful. Discord, distrust, and chaos were being created by American actors without the need for Russian interference. If Putin’s goal, in the U.S. elections and otherwise, was to undermine American democracy and American influence in world diplomacy, he had probably succeeded beyond his wildest dreams.

Nonetheless, Russian cyber hacking continues. In 2020, Russia’s premier intelligence agency, SVR was responsible for the cyberattack via the Solar Winds security software, a highly sophisticated attack that affected many government agencies and large companies. It gave the Russians access to tens of thousands of users’ computer systems. (By the way, SVR was also the first hacker to gain access to the Democratic National Committee’s computers in 2016.)

In October 2021, the Russians engaged in another massive campaign to hack into computer networks in the U.S. Microsoft announced that it had notified 600 organizations that they had been targeted by SVR with about 23,000 attempts to illegally access their computer systems in October alone. It noted that the attacks were relatively unsophisticated and were or could have been blocked by basic cybersecurity practices. It also stated that, for comparison, there had been only 20,500 such attempts by all other international governmental actors over the past three years. [3]

This Russian cyberattack occurred only six months after President Biden imposed sanctions on Russian financial and technology companies in April 2021 as punishment for previous cyberattacks. At the time, he noted that the sanctions could have been more severe but that he was trying to de-escalate confrontation between the two superpowers.

My next post will review things that can be done to counter cybercrime and warfare at the individual and governmental levels.

[1]      Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021.

[2]      Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021. page 347

[3]      Sanger, D.E., 10/26/21, “Russia tests US again with broad cybersurveillance,” The Boston Globe from The New York Times

CYBERWARFARE: RUSSIA’S ATTACK ON THE 2016 ELECTION

Note: If you find my posts too long or too dense to read on occasion, please just read the bolded portions. They present the key points I’m making and the most important information I’m sharing.

This is my sixth post on computer hacking and cyberwarfare and part of my overview of New York Times cybersecurity reporter Nicole Perlroth’s outstanding book, This Is How They Tell Me the World Ends. [1] My first post summarized the book’s information on the scale of computer hacking, cybercrime, and cyberwarfare; the 2017 North Korean ransomware attack; and the 2009 U.S. National Security Agency (NSA) cyberwarfare attack on Iran. My second post covered the leaks from the NSA, electronic surveillance in the U.S., and the use of encryption to protect privacy. My third post described Russia’s cyberattacks on Ukraine. The fourth and fifth posts described China’s cyberattack on Google and Google’s response.

This post summarizes Russia’s attack on the 2016 U.S. election which began in June 2014 when Russia sent two agents to the U.S. for a three-week reconnaissance tour to gather intelligence on U.S. politics and elections. Their report became the field guide for Russia’s interference in the 2016 election. Starting in 2014, the Russians tried to hack into voter registration and election systems in all 50 states. They are known to have succeed in accessing Arizona’s and Illinois’s voter databases. In 2015 (and probably before then), the Russians aggressively hacked into computer networks at the State Department, White House, and Joint Chiefs of Staff of the Defense Department, although this was probably unrelated to the election and was just “routine” espionage. Occurring in the midst of the unprecedented and mind-boggling presidential campaign that was ongoing at the time, these cyberattacks got little coverage in the mainstream media.

Russia’s social media propaganda agency, known as the Internet Research Agency (IRA), had as its goal for the U.S. election in 2016 to “spread distrust toward the candidates and the political system in general. … [to create] division, distrust, and mayhem.” [2] In September 2014, the IRA created a Facebook group, Heart of Texas, focused on right-wing Texans that generated 5.5 million likes within a year. It also created another Facebook group, United Muslims of America. Then, among other things, it used these two Facebook groups to promote rallies and counter-rallies at the Islamic Center in Houston that led to real-world confrontations. The IRA used the stolen identities of Americans to make their work more credible, but nonetheless its cyber manipulators were surprised at how gullible and susceptible the Americans were to their Facebook disinformation.

Based on its success in Texas, the IRA began replicating this approach across the country, focusing on purple states. Its staffing grew to more than 80 people who were directed to “Use any opportunity to criticize Hillary and the rest (except Sanders and Trump – we support them)” according to leaked memos. [3] The IRA:

  • Communicated with Trump campaign volunteers.
  • Bought Facebook ads promoting Trump and attacking Clinton.
  • Promoted race-baiting and xenophobic messages.
  • Worked to suppress minority voter turnout and to encourage voting for third party candidates instead of for Clinton.
  • Paid an unwitting Florida Trump supporter to put a cage on a flatbed truck and paid an actress to dress up as Clinton and sit in the cage as Trump rally goers chanted “Lock her up!” Based on this success, they promoted similar rallies in other states.
  • Reached 126 million Facebook users and generated 288 million Twitter actions, which are staggering numbers given that 139 million people voted in the 2016 election.

In June 2016, it was discovered that two other Russian groups had hacked into the Democratic National Committee’s computer network months earlier, extracting and releasing embarrassing emails, among other things.

The Obama Administration, facing multi-faceted and snowballing Russian interference in the election, finally decided in the fall of 2016 that a strong bipartisan statement (so it wouldn’t appear political) was necessary. Top Homeland Security and FBI officials were sent to brief Congress. But the response from the Republicans was completely partisan. Republican Senate Majority Leader Mitch McConnell refused to warn Americans about Russia’s efforts to influence and undermine the 2016 elections. He refused to sign any bipartisan statement, argued (falsely) that the intelligence on the cyberattacks was wrong, and claimed (falsely) that this was all just Democratic partisan politics.

After the election, the Obama Administration imposed significant sanctions on the Russians, but they were too little and too late. Although there’s some argument over the ultimate impact of the Russian’s efforts, Perlroth concludes that the Russian actions may well have tipped the election to Trump. Black voter turnout declined sharply in 2016 for the first time in 20 years, which was a constituency and an outcome that the Russians had aggressively targeted. Black voter turnout fell from 66.6% in 2012 to 59.6% in 2016, its lowest level since 2000. This represented a decline of 765,000 votes when less than 80,000 votes in three key states determined the outcome of the election. Furthermore, Trump’s margin in each of these three key states – Wisconsin (22,800 votes, a 0.8% margin), Pennsylvania (44,300 votes, a 0.7% margin), and Michigan (10,700 votes, a 0.2% margin) – was less in each state than the vote for the Green Party candidate. This voting for third party candidates instead of Clinton was another outcome that the Russians had aggressively targeted. Given the closeness of the election, a relatively small change in either (let alone both) of Black voter turnout or the number of votes for the Green Party instead of for Clinton would have changed the outcome of the election – and both of these were factors that the Russians specifically worked to influence.

Subsequent posts will outline the Perlroth book’s reporting on:

  • Russia’s continuing cyberattacks on the 2018 and 2020 U.S. elections and the Trump administration’s response, and
  • What can be done to counter cybercrime and warfare at the individual and governmental levels.

[1]      Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021.

[2]      Perlroth, N., see above, page 310

[3]      Perlroth, N., see above, page 311

CYBERWARFARE: GOOGLE’S RESPONSE TO CHINA’S ATTACK

Note: If you find my posts too long or too dense to read on occasion, please just read the bolded portions. They present the key points I’m making and the most important information I’m sharing.

This is my fifth post on computer hacking and cyberwarfare, all of which are part of my overview of New York Times cybersecurity reporter Nicole Perlroth’s outstanding book, This Is How They Tell Me the World Ends. [1] My first post summarized the book’s information on the scale of computer hacking, cybercrime, and cyberwarfare; the 2017 worldwide ransomware attack by North Korea; and the 2009 cyberwarfare attack by the NSA on Iran’s uranium enrichment plant. My second post provided an overview of the book’s reporting on leaks from the NSA, electronic surveillance in the U.S., and the use of encryption to protect privacy. My third post described Russia’s cyberattacks on Ukraine and the fourth post  described China’s cyberattack on Google.

Google had begun doing business in China in 2006, agreeing to the censorship of search results that the government demanded. In 2009, it was still struggling to accommodate China’s increasingly draconian censorship rules. Nonetheless, China waged a cyberattack on Google in 2009 in an effort to make Google an unwitting accomplice in Chinese surveillance of dissidents. (See my previous post for more details about this cyberattack.)

In response, on January 12, 2010, Google publicly revealed the Chinese cyberattack and its decision to pull out of China, despite its being the largest and most sought-after market in the world. Fearing for its employees’ safety, it had briefed the State Department and the U.S. embassy in Beijing was prepared to undertake a mass evacuation of Google’s Chinese employees and their families. Google shut down its Chinese operation and routed all Chinese Internet traffic to Hong Kong. In response, the Chinese government scrambled to censor and block Internet content flowing from Hong Kong, lambasted Google, denied involvement in the cyberattack, and accused the U.S. government of conducting an anti-China propaganda campaign. It permanently blocked Internet access to Google and three years later, under new President Xi Jinping, took over total control of the Internet in China.

The Chinese hackers who had executed the attack, having been outed, unplugged their Internet computer servers and abandoned their hacking tools. They abstained from hacking in the U.S. for a number months, but one year later engaged in a sophisticated attack on RSA, the cybersecurity company that sold security services to, among others, high profile defense contractors. Based on this successful attack, the Chinese hackers were able to infiltrate Lockheed Martin and thousands of other western companies including banks, automakers, chemical companies, law firms, non-profit organizations, and more. They stole billions of dollars-worth of proprietary information, including military and trade secrets.

Back at Google, less than a year after the 2010 pullout, some executives began pushing to go back to doing business in China. As Google diversified its businesses and re-organized under the over-arching corporation Alphabet in 2015, re-entry into the Chinese market, with its 750 million Internet users, became a hot topic of debate. Ultimately, human rights, ethical considerations, and Google’s motto of “Don’t be evil” were overwhelmed by a focus on profits.

In 2016, Google established a new, artificial intelligence research center in Beijing and released some small-scale products, e.g., an app and a mobile game, into the Chinese market. Simultaneously, it was working on a search engine for the Chinese market, code-named Dragonfly, that met government censorship requirements. In August 2018, an employee leaked information about the work on Dragonfly. After protests by Google employees and others, the Dragonfly project was terminated in July 2019. Google does not offer a search engine in China at this time.

Google’s business ethics have been questioned not just for doing business in China, but for its behavior in the U.S. and elsewhere. It profits off sites that spread disinformation and conspiracy theories, and its YouTube subsidiary allows the spread of videos that harm the well-being of children. In Saudi Arabia, it hosted an app that allowed men to track and, thereby, control the movements of female family members.

In subsequent posts, I will outline the Perlroth book’s reporting on:

  • The cyberattacks on U.S. elections and the Trump administration’s response, and
  • What can be done to counter cybercrime and warfare at the individual and governmental levels.

[1]      Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021.

CYBERWARFARE: CHINA’S ATTACK ON GOOGLE

Note: If you find my posts too long or too dense to read on occasion, please just read the bolded portions. They present the key points I’m making and the most important information I’m sharing.

This is my fourth post on computer hacking and cyberwarfare and part of my overview of New York Times cybersecurity reporter Nicole Perlroth’s outstanding book, This Is How They Tell Me the World Ends. [1] My first post summarized the book’s information on the scale of computer hacking, cybercrime, and cyberwarfare; the 2017 worldwide ransomware attack by North Korea; and the 2009 cyberwarfare attack by the U.S. National Security Agency (NSA) on Iran’s uranium enrichment plant. My second post provided an overview of the book’s reporting on leaks from the NSA, electronic surveillance in the U.S., and the use of encryption to protect privacy. My third post described Russia’s cyberattacks on Ukraine.

This post summarizes China’s cyberwarfare and, in particular, its attack on Google. The Chinese government’s cyberwarfare initiatives use both army personnel and contracts with non-government hackers at Chinese universities and technology companies. This contracting with private hackers is similar to President Putin’s strategy in Russia, where cyberattacks had been outsourced to cybercriminals for years to give the government some marginally credible deniability of responsibility. As in Russia, many of the private hackers in China are likely to have been conscripted, rather than hired in the private market.

For years, the Chinese have been hacking into defense companies where they focus on stealing aerospace, missile, space, and satellite technologies, as well as nuclear propulsion and weapon information. They have also been hacking into a broad range of U.S. businesses  and stealing intellectual property. A former Director of the NSA, Keith Alexander, called Chinese cyber theft the “greatest transfer of wealth in history.” [2]

In December 2009, now ancient history in the annals of cyber hacking, Google’s digital security team noticed an electronic intruder in their computer network. It was moving from computer to computer in what they called the fastest cyberattack they had ever seen. It had managed to breach what was one of the toughest digital security systems in existence at the time and was conducting a very sophisticated search across Google’s extensive computer network. As is often the case, the intruder’s access had been initiated by unsuspecting Google employees who had clicked on a link in a hacker’s phishing message. The link went to a website in Taiwan that put the hacker’s computer program, i.e., malware, onto the employee’s computer via a vulnerability in Microsoft’s Internet Explorer browser. The malware allowed the hacker to access the employee’s computer and Google’s network.

The attack was very sophisticated – the work of highly skilled, well-resourced hackers, not a small-time, individual cybercriminal. This was made clear by the hackers’ encrypting of their attacking computer program and obfuscating of their tracks, along with the expertise needed to use the Internet Explorer vulnerability.

Over a couple of weeks, Google assembled a team of 250 inside and outside security experts to counter the attack, and then determine who had attacked and what they were trying to accomplish. Team members worked 24/7 and December holiday vacations were canceled.

Eventually, the team’s work identified the attacker as a group contracted with by the Chinese government. It was being monitored by the NSA, which had code-named it “Legion Yankee.” It was one of the most active of the more than two dozen Chinese hacking groups that the NSA monitored. These groups had attacked U.S. government agencies, technology companies, think tanks, and universities in attempts to steal intellectual property, military secrets, and correspondence.

As Google and outside security experts dug into the attack, they traced it back to Legion Yankee’s computer server and discovered that dozens of other U.S. companies had been attacked as well, including Adobe, Intel, Northrop Grumman, Dow Chemical, and Morgan Stanley. As Google tried to warn these other companies, they found it was hard to reach someone who would take their warning seriously and understand its implications. Many of the companies refused to acknowledge that their computer systems had been breached – not wanting the bad publicity.

Google and its outside experts also eventually figured out what the attacker was after: Google’s source code. This is the computer programming that runs the Google application – it’s what displays its screens when you access Google, it’s what runs the search engine and displays the results, it’s what determines what ads to show you and what to do when you click on an ad or search result, etc. Microsoft’s Windows computer operating system, which runs many of our computers, is probably the best-known example of source code, along with Apple’s Operating System (OS) or the Android software that runs your phone.

This kind of attack wasn’t about short-term gain, e.g., theft of money or information, this was a long-term strategy that could bear fruit immediately but also for years to come. The hackers would insert code into or change the programming of Goggle’s source code to allow them access to the information that was flowing through Google, to Gmail accounts, and also to the computers and networks that were using Google.

Ultimately, Google determined that Chinese government wanted to change Google’s source code so it would have long-term access to any Gmail account and that its interest was in accessing the Gmail accounts of Chinese dissidents, including pro-democracy activists in Hong Kong, Tibetan and Uighur Muslim dissidents, pro-independence Taiwanese, the Dalai Lama, and others. In other words, China’s goal for its most sophisticated cyberattack capabilities was to be able to monitor, threaten, and thereby control its own people.

U.S. State Department officials would eventually connect Legion Yankee and the Google attack to the Chinese government’s top security official, Zhou Yongkang, and to Li Changchun, a member of China’s top ruling body (the Politburo Standing Committee) and China’s top propaganda official. Li had reportedly googled himself and was not happy with what he found and, therefore, ordered the attack on Google.

My next post will summarize Google’s response to the Chinese attack: it made a big splash by publicizing China’s attack and pulling out of the Chinese market completely in 2010 – only to re-enter the Chinese market in 2016. Subsequent posts will outline the Perlroth book’s reporting on:

  • The cyberattacks on U.S. elections and the Trump administration’s response, and
  • What can be done to counter cybercrime and warfare at the individual and governmental levels.

[1]      Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021.

[2]      Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021. page xix

CYBERWARFARE: RUSSIA’S ATTACKS ON UKRAINE AND USE OF NSA’S CYBER WEAPONS

Note: If you find my posts too long or too dense to read on occasion, please just read the bolded portions. They present the key points I’m making and the most important information I’m sharing.

This is my third post on computer hacking and cyberwarfare, part of my overview of New York Times cybersecurity reporter Nicole Perlroth’s outstanding book, This Is How They Tell Me the World Ends. [1] My first post summarized the book’s information on:

  • The scale of computer hacking, cybercrime, and cyberwarfare,
  • The 2017 worldwide ransomware attack by North Korea using a Microsoft Windows vulnerability stolen from the U.S. National Security Agency (NSA), and
  • The 2009 cyberwarfare attack by the NSA on Iran’s uranium enrichment plant.

My second post provided an overview of the book’s reporting on:

  • Electronic surveillance in the U.S. and the use of encryption to protect privacy, and
  • Leaks from the NSA, including of its cyberwarfare weapons.

This post provides an overview of Russia’s cyberattacks on Ukraine. Russia is and has been a formidable and active player in espionage and international warfare since the 1950s Cold War, which Perlroth touches on as background for her reporting on cyberwarfare.

Not surprisingly then, Russia has been an early, active, and formidable participant in cyberwarfare. It has attacked Ukraine both to demonstrate its capabilities to the world and to display its ongoing displeasure with independence in Ukraine, which threw out the Russian puppet government in 2014. Russia’s cyberwarfare has interfered with Ukraine’s elections and its everyday life. In 2014, Russia planted disinformation during Ukraine’s election and engaged in serious cyber hacking of its election infrastructure. Ukrainian election officials discovered the hacking just before manipulated results would have been announced to the media. It was the most brazen cyberattack on a national election ever at the time.

For its next attack, on Christmas Eve in 2015, Russia’s cyber warriors flipped off circuit breakers in the Ukrainian power grid, turning off electricity for hundreds of thousands of people. They also shut off backup power in many locations and shut down emergency phone lines. Things were turned back on roughly six hours later, but the message and the capabilities were clear. This represented an escalation of cyberwarfare; no country had ever shutdown another country’s civilian power grid before. A year later, Russia did it again, this time shutting down the power and heat in the Ukrainian capital of Kyiv.

On June 27, 2017, Russia launched another, much more devastating cyberattack on the Ukraine, this time using weapons from the U.S. National Security Administration (NSA) that had been stolen and leaked in 2016 and 2017. (See my previous post for more details on this leak.) Russia specifically timed its attack to occur on Ukraine’s independence day to underscore its political message. The attack shutdown government offices, trains, ATMs, the postal service, and almost all financial systems so people couldn’t get paid and electronic cash registers didn’t work so people couldn’t buy anything, even food and gas. Even the radiation monitors at the Chernobyl nuclear disaster site were shutdown. The attack destroyed the data on 80% of the computers in Ukraine. The damage was so severe that it took over two years for Ukraine to recover from this Russian cyberattack.

Not unexpectedly, the cyberweapons (i.e., malicious computer programming) that Russia used in the attack on Ukraine self-propagated through the Internet and other computer networks so that any company doing business in Ukraine was vulnerable. The cyberweapons shutdown factories in Tasmania, destroyed vaccines at pharmaceutical companies Pfizer and Merck, infected FedEx’s computer systems, and brought the world’s biggest shipping company, Maersk, to a halt. The cyberweapons even spread back to Russia, destroying data at the giant, Russian government-owned oil company, Rosneft, and at the Russian steelmaker, Evraz.

When author Perlroth visited Ukraine in the winter of 2019, a year and a half after the attack, the damage estimate there was $10 billion and climbing, and significant disruption of daily life was still evident. Railroad and shipping systems were still not back to normal, pension checks still hadn’t been received, and people were still trying to find packages that had gone missing when shipment tracking data was lost, for example. It was also estimated that the attack cost just Merck, Fed Ex, and all the other companies that were affected billions of dollars. Some insurers refused to pay for damages from this cyberattack, claiming it was an act of war and therefore fell under a war exemption clause in their policies.

This Russian cyberattack made it clear that cyberweapons are weapons of mass destruction. Russia could have done much worse. It could have crashed trains and planes instead of just disabling scheduling, ticketing, and payment systems. It could have created explosions or toxic incidents at manufacturing plants or nuclear power plants.

Some experts believe Russia used the NSA’s tools in this attack to discredit and expose the NSA and the U.S. government.  Others believe Russia was just using this attack, and the earlier ones in the Ukraine, to test its capabilities and prepare or signal its capability to execute even more devastating attacks in the future. By the way, Russia has continued to harass Ukraine. For example, in 2019, it inundated Ukrainian Facebook accounts with anti-vaccination propaganda as the worst measles outbreak of recent times spread there.

In subsequent posts, I will outline the Perlroth book’s reporting on:

  • The Chinese attack on Google and Google’s response,
  • The cyberattacks on U.S. elections and the Trump administration’s response, and
  • What can be done to counter cybercrime and warfare at the individual and governmental levels.

[1]      Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021.

CYBERSECURITY AND THE DEVASTATING LEAK OF THE NSA’S CYBER TOOLS

Note: If you find my posts too long or too dense to read on occasion, please just read the bolded portions. They present the key points I’m making and the most important information I’m sharing.

My previous post on computer hacking and cyberwarfare began my overview of New York Times cybersecurity reporter Nicole Perlroth’s book, This Is How They Tell Me the World Ends. [1] My post summarized the book’s information on the scale of computer hacking, cybercrime, and cyberwarfare, while also outlining two examples from the book:

  • The 2017 worldwide ransomware attack by North Korea using a Microsoft Windows vulnerability stolen from the U.S. National Security Agency (NSA), and
  • The 2009 cyberwarfare attack by the NSA on Iran’s uranium enrichment plant.

This post provides an overview of the book’s reporting on:

  • Electronic surveillance in the U.S. and the use of encryption technology to protect privacy, and
  • Leaks from the NSA, including of its cyberwarfare tools.

After the September 11, 2001, attacks, the U.S. greatly expanded its electronic surveillance within the U.S. In 2013, Edward Snowden, a consultant for the NSA and a former CIA employee, released thousands of classified NSA documents. They described activities the NSA was engaged in, including mass surveillance of Americans. Among many other things, the documents revealed that the NSA was secretly surveilling users of Microsoft, Facebook, Google, and Yahoo and that in a single day it had collected roughly 445,000 Yahoo email address books, 105,000 from Hotmail, 83,000 from Facebook, 34,000 from Gmail, and 23,000 from other providers.

Snowden was charged with espionage. He left the country prior to releasing the NSA documents and is living in Russia under a grant of asylum. In 2020, a U.S. federal court ruled that the NSA’s mass surveillance program exposed by Snowden was illegal and possibly unconstitutional.

As a response to U.S. government surveillance and cyber hacking, software and hardware providers started offering users’ the ability to encrypt their data. Initially, intelligence agencies and law enforcement had ways to overcome the encryption and access the data, typically with the assistance of the product’s provider. Then in 2014, in the wake of the Snowden revelations, Apple announced that the iPhone 6 would automatically encrypt everything on the phone using the phone user’s unique password, making the data impossible to unencrypt by anyone else. Previously, Apple had a key that could unencrypt a user’s data when requested by law enforcement. The FBI and those running government surveillance programs were upset and concerned about this truly secure encryption, but there was strong support from users because they valued their privacy.

A year later, two terrorists, who had sworn allegiance to ISIS, shot and killed 14 people and injured 22 at the San Bernadino, CA, health department. The terrorists fled and were killed in a shootout within hours. One piece of evidence recovered was an encrypted iPhone. The FBI demanded that Apple unencrypt the phone, which apparently it could not, and also demanded that Apple change its software to allow the FBI to unencrypt data in the future. Apple refused, pointing out that if there was such a capability others would want access to it too and that hackers would be able to find it as well.

The FBI initiated a court case to force Apple to allow it access to iPhone data, but four months after the shooting it abruptly dropped the case. It turned out that an unidentified hacker had sold the FBI a way to overcome the encryption. Surprisingly, the FBI Director, Comey, admitted that it had paid the hacker at least $1.3 million for this capability. This was the first time the U.S. government had admitted to paying a hacker a large sum to give it access to a vulnerability in a widely used electronic device or piece of software. The FBI claimed that it did not know what the underlying flaw was and that it had no intention of letting Apple know so it could fix it.

Apple was correct, of course, in stating that any ability of the FBI or U.S. intelligence agencies to circumvent the encryption of users’ data would eventually be available to others, including those with less scrupulous intentions (assuming you believe U.S. intelligence agencies and the FBI always have scrupulous intentions). International adversaries and individual computer hackers are constantly uncovering computer software and hardware vulnerabilities. They use or sell these vulnerabilities to obtain unauthorized access to data, for use in international cyberwarfare, or for use for private gain through theft of money, trade secrets, or other valuable information. These computer vulnerabilities can also be used in ransomware attacks, where computer systems are disabled or data stolen for nefarious use unless a ransom is paid.

Probably the worst piece of news for the U.S. intelligence agencies in the history of cyberwarfare was the leak of the NSA’s tools and techniques in 2016 and 2017. While Snowden’s leaks revealed what the NSA was doing, these leaks revealed, in detail, specifically how it was doing its cyber espionage and cyberwarfare.

Over a nine-month period, an unknown individual or individuals leaked specific software vulnerabilities and the computer code the NSA was using to exploit them. These NSA hacking tools had been stolen and were now being released publicly on the Internet, sharing the world’s most powerful cyber arsenal with anyone and everyone who might want to use it. These NSA cyber weapons were used, for example, by North Korea in its global ransomware attack (described in my previous post) and by Russia in its devastating attack on the Ukraine in 2017 (to be described in my next post).

The leak of the NSA’s cyber weapons exposed what was probably the biggest federal program the public had never heard of, a cyber espionage and warfare effort so classified it was invisible: hidden through blacked out budgets, large cash transactions, shell companies, contractors, and nondisclosure agreements required of everyone involved in it.

In subsequent posts, I will outline the Perlroth book’s reporting on:

  • Russia’s cyberattacks on Ukraine,
  • The Chinese attack on Google and Google’s response,
  • The cyberattacks on U.S. elections and the Trump administration’s response, and
  • What can be done to counter cybercrime and warfare at the individual and governmental levels.

[1]      Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021.

THE COST, DAMAGE, AND THREAT OF CYBERCRIME AND WARFARE

Note: If you find my posts too long or too dense to read on occasion, please just read the bolded portions. They present the key points I’m making and the most important information I’m sharing.

The lines between computer hacking, cybercrime, and cyberwarfare are blurry. They are threats to our national security and also to you. At risk is not only your financial welfare and identity, but also your health and well-being. Cyberwarfare is at a level of threat that has similarities to nuclear weapons in that it can inflict major societal harm and is restrained or deterred only by the threat of retaliatory harm and damage, similar to the mutual assured destruction that deters nuclear war.

This is not an exaggeration, as the book by New York Times cybersecurity reporter, Nicole Perlroth, This Is How They Tell Me the World Ends, [1] makes clear in great detail. She presents the development and evolution of cyber hacking, crime, and warfare since she began reporting on it for the Times in 2013. She also puts it in an historical context of espionage going back to the Cold War and the 1950s and then outlines its transition from human agents to cyber capabilities over the last 40 years. I encourage you to read her 406-page, revealing, convincing, and downright scary book if you are so motivated. I will attempt to summarize it in this and subsequent blog posts.

The scale of computer hacking, cybercrime, and cyberwarfare is much greater than I had any idea it was. The costs to individuals, businesses, governments, and other organizations (such as hospitals) are enormous. A 2018 RAND Corporation report, the most comprehensive study of cyberattacks at the time, estimated that the worldwide losses for the year from cyberattacks were hundreds of billions of dollars. By comparison, the estimated cost of terrorist attacks in 2018 was just $33 billion. Some current estimates put the costs of cyberattacks at over $2 trillion a year and growing.

The number of ransomware attacks, where hackers prevent an organization from accessing its computer systems and data until a ransom is paid, more than doubled from 2019 to 2020, for example. [2] Much of this is done by cyber criminals looking to make money. However, back in May 2017, one of the cyber hacking tools stolen from the U.S. National Security Agency (NSA) (more on this in a subsequent post) was put to use by North Korea in ransomware attacks all around the globe. Within 24 hours, 200,000 organizations in 150 countries were attacked. For example, nearly 50 British hospitals were incapacitated as were Russian railroads and banks, Indian airlines, Germany’s railroads, Spain’s largest telecommunications company, Japanese police, South Korean movie theaters, many gas stations and universities in China, and small electric utilities and Fed Ex in the U.S. Russia and China suffered the most, partially because vulnerable, pirated software was widely used there.

The attack used a vulnerability in Microsoft’s Windows operating system that the NSA had discovered and exploited for years. When knowledge of it was stolen from the NSA and released publicly, the NSA notified Microsoft, but, needless to say, there was not enough time to fix the vulnerability (aka bug) and get the fix onto millions of customers’ computers before the vulnerability was exploited by North Korea and others. Exacerbating the problem, many customers are not always quick to install Microsoft’s Windows updates, particularly at companies using it on computers performing critical functions where software updates must be closely managed to minimize downtime. Making matters worse, many computers, including ones controlling critical infrastructure, were running an old version of Windows that Microsoft had stopped updating three years earlier. Now, Microsoft had to go back and update this software so its users wouldn’t be held hostage by cyberattacks from North Korea or run-of-the-mill cyber criminals.

Microsoft’s President, Brad Smith, was angry; this was not the first time the NSA had put Microsoft in this position. He publicly criticized the NSA for withholding the Windows vulnerability from Microsoft and then, when it became a problem, dumping it in Microsoft’s lap to fix on short notice. At the time, this story got short shrift in the U.S. media because of all the focus on the new Trump administration and the controversies it was generating. The administration was, however, quick to identify North Korea as the culprit, in stark contrast to its failure to out Russia for its cyberattacks, including its meddling in the 2016 U.S. election. (More on this in a subsequent post.)

Initially, government-sponsored cyber hacking, with the U.S. leading the pack, was used for espionage and surveillance of foreign governments and agents. The U.S. has multiple agencies spending billions of dollars developing and using cyber hacking capabilities. It has large teams of computer experts identifying vulnerabilities in computer software. Rather than alerting companies to the vulnerabilities in their products, U.S. intelligence agencies developed the software vulnerabilities into weapons for spying on adversaries (e.g., by stealing data from their computers). This use of cyber hacking is considered defensive as it is used to protect the U.S. and not to harm others.

The U.S. government also bought software vulnerabilities from private hackers who had discovered them, sometimes paying millions of dollars for them. Private computer hackers’ uncovering and selling of software vulnerabilities is a worldwide entrepreneurial business, given that any computer-savvy individual with a computer can do this.

However, as was probably inevitable, computer hacking shifted to being used offensively, to harm adversaries, given that it has the inherent capability to disrupt computer-controlled equipment and communications. In 2008 and 2009, the U.S. government, led by the NSA, probably with Israel’s participation, successfully executed a cyberwarfare attack on Iran’s nuclear enrichment plant. It damaged the centrifuges used to enrich uranium in order to delay Iran’s ability to generate enough, sufficiently enriched uranium to build an atomic bomb. Many experts view this attack as marking the shift of cyberwarfare from espionage and defensive uses to offensive uses.

After a cyberattack, given time, effort, and expertise, the target can almost always identify the source of the attack. So, when U.S. intelligence agencies say they “think” a cyberattack came from say Russia, they know that it came from Russia. Furthermore, they usually know what organization was behind the attack, although sometimes it can be difficult to ascertain whether it was a government-sponsored attack or private hackers physically located say in Russia (or China, Iran, or North Korea, etc.).

After the successful attack on its nuclear enrichment plant, Iran, not surprisingly, was looking for revenge. When it discovered the cyberattack, it also then had possession of the weapon – the software that had been used – and could turn it back on the attacker.

Furthermore, the weapon, as cyber weapons often do, spread itself out from the Iranian centrifuge plant over the Internet and around the globe, eventually reaching the U.S. and infecting computers at Chevron. Fortunately, because it was designed to specifically attack the Iranian centrifuges, it didn’t do a lot of damage at Chevron or at other sites it infected.

Despite this experience, the U.S. government continued to focus on its offensive cyberwarfare programs and largely ignored building cyber defenses. Surprisingly, it ignored the clear vulnerability of U.S. computers and systems to the types of attacks it was undertaking, despite the fact that the U.S. is more dependent on computers and the Internet than other countries, making the U.S. more vulnerable to a cyberattack than anyone else.

In subsequent posts, I will outline the Perlroth book’s reporting on:

  • Electronic surveillance in the U.S. and the use of encryption technology to protect privacy,
  • Leaks from the NSA, including of its cyberwarfare tools,
  • Russia’s cyberattacks on Ukraine,
  • The Chinese attack on Google and Google’s response,
  • The cyberattacks on U.S. elections and the Trump administration’s response, and
  • What can be done to counter cybercrime and warfare at the individual and governmental levels.

[1]      Perlroth, N. This Is How They Tell Me the World Ends. Bloomsbury Publishing, NY, NY. 2021.

[2]      De Vynck, G., 9/22/21, “Treasury’s fight against hackers targets crypto payments,” The Boston Globe from the Washington Post