Countering covert operations
Defending against a covert operation based on cyber collection of data and dissemination of data to a target audience is extremely difficult. This is because, as we covered in (part 1, part 2, part 3) not only are cyber attacks notoriously difficult to defend against — particularly for civilians facing intelligence agencies — but also because dissemination of information is literally what the Internet does. So, what is to be done?
To quickly recap, a cyber campaign based on leaks requires basically three things:
- collection — pulling the data from the victim systems
- dissemination — pushing the data out to the target audience
- assessment — target audience “buying” the data as valid
This is why the safest approach to protecting data is, as always, not to produce any. Failing that, the preference should be for deleted / removed data (e.g. ephemeral messaging), then encrypted data that is still around, and lastly for plaintext data. The preference is therefore, Lomasney’s Law:
Never write if you can speak; never speak if you can nod; never nod if you can wink.
What valuables must be protected?
The value that the adversarial intelligence organization was only achievable with the exploitation of the collected data. Ultimately, what that meant was that the data had to get disseminated, and it had to be readable/understandable by the target audience.
Dissemination and legitimacy
The counterintelligence goals must be to hardens systems (as per part one) and then to limit the ability of the adversary to exploit the data. The data was exploited by wide dissemination and legitimizing via the media. Target the ability of the media to disseminate the data and the adversary loses page views and validation/authority/legitimisation.
How do you hinder the media?
Here is a brief exchange that shows how to minimise the ability of the established media to legitimise and disseminate data:
Okay, fellow journalists, raise your hand if you too were approached with this story. (I was.)
— Julia Ioffe (@juliaioffe) January 10, 2017
And you turned it down, I assume. Why?
— Mathew Ingram (@mathewi) January 10, 2017
Because it was impossible to verify. (I tried.)
— Julia Ioffe (@juliaioffe) January 10, 2017
Even when the data (in this case a dossier of opposition research against Trump) was used in an article it was muted, and the data was not made available.
David Corn, the Mother Jones journalist who wrote the magazine’s comparatively circumspect Oct. 31 report on the allegations, tweeted Tuesday night that he did not publish the full memos at the time because he could not verify their allegations — Source
1. For those asking, I didn't publish the full memos from the intelligence operative because I could not confirm the allegations.
— David Corn (@DavidCornDC) January 11, 2017
This is an extremely unpopular position to take, but it is how to approach this threat vector.
Mitigating dissemination and validation by the media requires, essentially, attacking the rules and procures that govern professional journalism. This sort of thing is extremely common for a PR launch campaign, or politicians handling media interviews, but it is unusual to apply it to “private” internal communications.
Mitigation techniques: concrete suggestions
Professional journalists must, generally speaking, conduct fact checking. They must be able to verify the data used for their story, and will (usually) not publish a story that is unverifiable. The technique to use here then is to make the datasets unverifiable, or so difficult to verify that the fact checking exceeds the window of vulnerability.
One simple solution is to remove identifiers from the datasets. That is, to use anonymous, or pseudonymous, communications tools (possibly combined with open codes and code names.) Here is where Signal (and WhatsApp or PGP, etc) are a terrible solution. The content is still easily linked to specific individuals. This makes for easy verification and fact checking.
Do: The Democrats would have been better off using dedicated compartmented iPhones with disposable SIM cards and Threema anonymous messenger in a closed loop. Periodic migration (say, monthly) to new devices, SIMs, and Threema accounts would create temporal compartmentation, limiting the damage of a compromise. Adopting the security measures of Reservoir Dogs — assigned codenames — would greatly reduce the ability of a fact checker to attribute the dataset and increase the time required to do so.
The primary problems with Threema are the lack of PFS (not relevant to this threat model) and no ephemeral messaging (a serious handicap here.) Using Signal with disposable SIMs is viable, but the temptation on label contacts correctly (which would defeat the entire protection) makes me hesitant to recommend it in this case.
The Case for Code Names
Code names are extremely effective at masking what is being discussed, particularly when they are slightly generic and can be “talked around,” allowing the participants to discuss a topic in cryptic passing reference that is not relevant for outsiders. This was used extremely effectively by the Indians in the lead up to their nuclear tests in 1998.
Delhi was on line with another query: “Has Charlie gone to the zoo? And is Bravo saying prayers? Mike is on.” The decoded version: “Has the DRDO team (codenamed Charlie) gone to the deer park (the zoo or the control room)? And has the BARC team (codenamed Bravo) gone to the bunkers where the nuclear devices are being assembled (prayer hall). The dg, military operations (Mike) wants to know the progress.” — Source
This sort of code is extremely difficult to keep track of, so civilians are likely to slip up. Still, it would hinder the ability of the adversary to analyse the data and determine what is going on.
The downside, in a highly partisan environment where a significant percentage of the vocal population are willing to believe conspiracy theories, using cryptic coded phrases allows the reader to project whatever meaning they want onto the data. This is not very good. Codes definitely need to be carefully chosen.
Achievement unlocked: hinder professional journalists
This counterintelligence plan is about mitigating the ability of major main stream media outlets from disseminating and validating the stolen data sets. This is accomplished by:
- limiting the data available,
- unlinking the content from specific individuals, and
- making it an difficult editorial decision to publish a story (due to weaknesses in the ability to verify and fact check.)
At a minimum, using anonymity/pseudonymity and unlinked compartmented comms accounts would cause delays in the news cycle, and provide plausible deniability about who said what.
Reduce valence to reduce value
The other major problem facing an email spool dump is to make the data less engaging for readers. By reducing the interest that a reader has in the content, it becomes less likely to spread because they are less inclined to engage with it and share it.
High Valence Content is Engaging
There are a few things that make a story interesting to people, and that is generally emotional content: anger, fear, joy, etc. These are basic concepts from any marketing 101 course. The trick is then to make content that is boring — which is hard, for sure, but it is at least possible. Long and boring, short and dull, vague and meaningless… Something I call: Operation Beige.
The three phases of the information operation — collection, dissemination, assessment — provide different mitigation opportunities. The first part of this series emphasized the futility of relying on completely preventing collection. Other instalments proposed a set of tactical steps to hinder the dissemination of the data. This one presented strategies to make the data harder to assess, less interesting to examine, and more difficult to judge.
The key is to remember that the success of the info op requires a lot of things beyond simply “hack the data.” Developing a mitigation plan against the operation requires targeting each phase, and not simply relying on preventing a breach.