It’s 2019 and we live in a world where understanding what is real and what is fake can be challenging. For the security community, we increasingly deal with information warfare adversaries that rely on that fact; and, operating at internet scale, are capable of causing plenty of havoc.
Understanding what information warfare is in the first place is important when it comes to being able to spot it. Wikipedia defines information warfare as “a concept involving the battlespace use and management of information and communication technology (ICT) in pursuit of a competitive advantage over an opponent.”
In a 2018 publication to the Congressional Research Service [PDF], Catherine A. Theohary, specialist in the National Security Policy, Cyber and Information Operations group wrote: “In the Battle of Thermopylae in 480 BC, Persian ruler Xerxes used intimidation tactics to break the will of Greek city-states. Alexander the Great used cultural assimilation to subdue dissent and maintain conquered lands. Military scholars trace the modern use of information as a tool in guerilla warfare to fifth-century BC Chinese military strategist Sun Tzu’s book The Art of War and its emphasis on accurate intelligence for decision superiority over a mightier foe. These ancient strategists helped to lay the foundation for information warfare strategy in modern times.”
In the more recent past, information warfare has been used in the form of propaganda dropped over the civil-war conflicts in Somalia to persuade Somali locals (as well as combat soldiers) that the U.S. forces were there to help, and that a peaceful resolution could be established. This could also be described as a PhysOps campaign (Physiological Operations), but for both, the outcomes are similar: Gaining an advantage over your adversary.
As for the present day, Theohary goes on to say in her paper that “As cyberspace presents an easy, cost-effective method to communicate a message to large swaths of populations, much of present day information warfare takes place on the internet, leading some to conflate ‘cyberwarfare’ with information warfare…other countries and terrorist organizations have robust information warfare-strategies and use a whole-of-government or whole-of-society approach to information operations.”
Online DDoS groups have used information warfare in the form of employing scare tactics. For instance, in my previous article Rogue Waves: Preparing the Internet for the Next Mega DDoS Attack, I talk about the group DDoS 4 Bitcoin (DD4BC), which was active for 24 months or so starting in the summer of 2014. Their tactic was to DDoS an organization’s website for a short time, then send an extortion email claiming they would do it again, but worse, if the company did not pay up.
A short time after that, a group calling itself Armada Collective saw that DD4BC was making so much money, that they decided to follow suit. But they would bypass the initial DDoS attack; they found that sending an extortion email saying they would launch an attack was enough to get paid by many companies hoping to stay online and out of the spotlight.
Fake news is meanwhile being used to falsely or deliberately mislead people. Unfortunately, fact-checking is often left out before someone declares judgment or an opinion on a subject.
Years ago, to become a journalist it meant that you were trained to gather leads, cite your sources, and, to the best of your ability, honestly and ethically develop your story. In 2019, we find ourselves in a world where the internet has turned every member of the free world into a prospective journalist, with the ability to write a blog on “medical best practices,” publish advice on “getting out of abusive relationships” or pen a column on “how to spot patterns in the stock market” — without necessarily knowing what they’re talking about. When it comes to information warfare, political columns from non-journalists making unsubstantiated claims have proliferated and become an important part of influence campaigns.
If just writing an article or sending an email can lead to free money or influencing the masses, what if we were to see a world leader “say” something on video which would seem prove that he or she said a certain quote that was attributed to them?
This is where deep fakes come into play. Using AI technology, almost anyone is now able to give a computer program an input of a person’s likeness, which can then effectively swap the face of the person in the video. This can be found in simple form in the “Face Swap”-type apps that exist in app stores. But by using powerful computers and AI neural networks to perform deep learning tasks, any person’s face can be swapped with anyone else’s.
For example, this was done in a Saturday Night Live skit of Kate McKinnon from the YouTube channel Derpfakes. This is a great example of what may be done in the future when you have an actor who can deliver a believable performance as a target: Dressing the part, delivering the lines and having the setting appropriately set.
Imagine a video that’s published to social media of the president saying “We’re going to war” or Apple CEO Tim Cook saying “Apple is being fined $10 billion dollars.” What kind of impact that could have on the stock market or the nation as it goes viral and people’s discerning eye for truth or ability to tell the difference fails them?
It goes without saying, but I will say it anyway – the world is changing at a rapid pace and we have to be vigilant about what news and data we share and from which sources we get our information. This is nothing new to the information-security community, but as a friendly reminder/PSA to everyone else: As always, trust but verify!
(Tony Lauro manages the Enterprise Security Architecture team at Akamai Technologies. With over 20 years of information security industry experience, Tony has worked and consulted in many verticals including finance, automotive, medical/healthcare, enterprise, and mobile applications. He is currently responsible for Akamai‘s North America clients as well as the training of an Akamai internal group whose focus is on Web Application Security and adversarial resiliency disciplines. Tony‘s previous responsibilities include consulting with public sector/government clients at Akamai, managing security operations for a mobile payments company, and overseeing security and compliance responsibilities for a global financial software services organization.)