Welcome to Codebook: The cybersecurity newsletter that doesn't lie to you.
Tips? Send 'em in to this email address.
Today's Smart Brevity: 1,258 words, <5 minute read
1 big thing: U.S. laws don't cover campaign disinformation
The international industry of disinformation-for-hire services has already reared its head in Western politics, and it's growing fast.
The big picture: There is no U.S. law that prevents candidates, parties or political groups from launching their own disinformation campaigns, either in-house or through a contractor, so long as foreign money isn't involved. It's up to individual candidates to decide their tolerance for the practice.“These tactics have been used by candidates all over the world,” said Camille François of the social media analysis firm Graphika.
- A Philippines-based firm claims to be manipulating social media for political clients around the world, including Great Britain; Mexican campaigns for city and national offices use social media chicanery; and researchers at Google’s altruistic technology outpost Jigsaw recently rented a Moscow-based outfit to run a disinformation campaign to test how its campaigns worked.
- Campaigns have also been spotted in Israel, Macedonia and throughout South America.
The intrigue: Broadly, U.S. campaign finance laws don’t regulate free social media accounts. Even a vast network of inauthentic bot and troll accounts would likely be treated as a protected form of political speech.
- "The Federal Election Campaign Act does not address this situation," said Charles Spies, the leader of Clark Hill's global political law practice. He noted that an aggressive prosecutor might try to find clever ways to apply seemingly unrelated statutes — just as they might for any other action that seems wrong but has no directly applicable law.
The only firm rules are the boundaries political actors set for themselves.
- “People should want to know what the boundaries are: Will their social media teams use inauthentic accounts? Will they work with PR agencies that do?” said François.
Axios reached out to the parties to see if they took active stances on the issue.
- “The DNC does not hire outside entities to generate inauthentic content, and we advise campaigns against engaging in these activities,” Democratic National Committee chief security officer Bob Lord told Axios.
- The Republican National Committee did not respond to several requests for comment.
Meanwhile: Campaigns can act in ways the national party does not endorse, and political committees, in turn, can act in ways the candidates do not endorse.
- But if the buck stops with the current batch of candidates, there's some reason for concern.
- Among campaigns contacted for this story — 5 top Democrats and the Trump campaign — none responded with a firm policy regarding the use of phony accounts or how they would respond if supporters used them.
2. Twitter's new ban on state-run news outlets
Earlier this week, Twitter banned state-run media from purchasing advertising after it came to light that Chinese state media had been amplifying disinformation related to the Hong Kong protests.
Why it matters: This isn't the first time that regime-run media has lost ad privileges. In 2017, after U.S. intelligence agencies singled out Russia’s news services, Twitter banned Russia Today (RT) and Sputnik from buying ads. But the new move makes a proactive rule out of a previously ad hoc approach.
Naturally, banned agencies aren’t thrilled. RT complained that it was banned while outfits like the BBC were not, and Chinese media took the narrative that suppressing its freedom of speech was a strange way to promote freedom of speech.
- Twitter addressed the former in its policy, saying state-run and taxpayer-funded media were two different things and that it would outsource its decisions to a number of journalism-focused nonprofit groups.
China has a long tradition of focusing disinformation internally. But Twitter is banned from the mainland, so Chinese campaigns on that platform are targeted to an external audience.
The big picture: This is a good reminder that not all Western-facing disinformation comes from Russia.
- “Saudi Arabia was heavily pushing disinformation regarding Jamal Khashoggi. This wasn’t directed singularly towards the U.S., but rather a wider effort to change the perception of the Saudi government in association with the incident,” said Harrison Van Riper, an analyst for the threat intelligence firm Digital Shadows.
- Iran was recently outed broadcasting fake stories it attributed to major international news agencies for an international audience.
- Yemeni groups also run disinformation campaigns.
- And “the largest actors at scale focusing on the United States are in the United States,” said Graham Brookie, director of the Atlantic Council’s Digital Forensic Research Lab.
But, but, but: Not all of these campaigns use ads. “We’ve seen campaigns that spend $0 on ads; we’ve seen those that spend tens of thousands on ads,” said Ben Nimmo of Graphika.
- Ads from an apparent news agency are an effective tool that purveyors of disinformation will miss. It’s possible that a ban on ads will push foreign actors to less-effective but harder-to-detect bot and troll campaigns.
To be sure, the effectiveness of ads for state-based news agencies goes beyond amplifying the news story in the ad.
- Ads for accurate news stories promote the legitimacy and readership of state news agencies that can then broadcast a more nefarious message from their own platform.
- “The point of the ad is not to get someone to watch the ad, it’s to get someone to buy a product,” said Nimmo.
3. Kaspersky still lurking on federal computers
Kaspersky software is still running on federal agency and contractor systems despite orders to purge the Moscow-based firm's wares, according to a study from Expanse.
The big picture: Two years ago, the Department of Homeland Security directed agencies to remove Kaspersky products due to fears that Russia used Kaspersky Antivirus to find and steal classified documents. Several other federal orders, including one for contractors to remove the products, followed.
But, but, but: "It's actually hard to remove software that comes bundled with hardware," Tim Junio, Expanse co-founder and CEO, told Codebook.
- Kaspersky used to come preloaded on computers and bundled with other companies' hardware — people didn't know they'd purchased it, and it didn't show up in expense reports.
- Using data from network traffic analysis, Expanse discovered Kaspersky software operating in a number of agency and contractor systems.
None of this means Expanse found evidence to substantiate concerns that Kaspersky was involved in espionage.
4. In case you missed it
22 Texas towns hit by ransomware attack (TDIR): 22 communities in Texas are working to contain ransomware attacks, the Texas Department of Information first reported over the weekend. The same attacker is believed to be behind all the attacks, state systems were not affected and most victims were apparently governments of small localities.
Browsers unite against Kazakhstani surveillance (Axios): Google, Mozilla and Apple are taking a coordinated action to prevent the Kazakhstani government from using bulk surveillance on citizens' web browsing.
- Web browsers use a system known as certificates to verify and encrypt communications with websites. Kazakhstan is reportedly forcing residents to circumvent that system by using a national certificate rather than the trusted certificates that browsers normally use.
- The national certificate would give the Kazakhstani government the ability to snoop or even change internet communications.
- Google, Mozilla and Apple, makers of the Chrome, Mozilla and Safari web browsers, have agreed not to accept that national certificate, making it difficult for Kazakhstan's scheme to work.
Five fraudsters arrested in swindling of U.S. vets (DOJ): An international crew of 3 U.S. citizens, 1 Australian and 1 South Korean was arrested for allegedly using stolen personal information to bilk thousands of veterans out of benefits.
Facebook audit finds no liberal bias (Axios): In a blow to a conservative talking point that never really had much evidence on its side, an independently conducted, Facebook-funded audit lead by Republican former Sen. Jon Kyl found no bias against conservatives on Facebook.
5. Odds and ends
- This week in exposed, unsecured data: MoviePass and a hentai pornography site. (both from TechCrunch)
- Patch your Nest camera. (Talos)
- Google canceled a cell network testing service over privacy concerns. (Reuters)
- Researchers get strategic about fighting online hate communities. (The Verge)
- The alleged Capital One hacker is arguing for a release from jail. (ABC)
- Researchers reported a security flaw in Moscow's blockchain election system. (ZDNet)