Much of the discussion surrounding Russian cyber-enabled information operations against Western societies focuses on technology, such as bots amplifying messages on social media and the hacking of institutions of power to then leak emails with potentially salacious material. But in order to meet the level of success that Russian intelligence has in their information campaigns, they must first do the groundwork – determining their target audience and characterizing their pressure points through cyber espionage. The Cipher Brief’s Levi Maxey spoke with Doug Wise, the former Deputy Director of the Defense Intelligence Agency, about how governments, both democratic and autocratic, might go about engaging in cyber-enabled information warfare.
The Cipher Brief: How do democracies and autocratic regimes view cyberspace differently, or is it generally the same?
Doug Wise: We in the United States do not use cyberspace for internal repression and governance in the same way that an autocratic regime would because we have the rule of law and privacy controls at play. Most autocratic regimes use it as a way to monitor their populace – both good and bad actors – and to use that information to better control the population. But in the cyber domain, it really doesn’t matter what your government is from an external use standpoint. From an internal use standpoint, it is arguably different.
The Cipher Brief: Would the U.S. then be involved in the information operations abroad that we have seen, for example, Russia being involved in? Or are there restrictions against that because it might influence the domestic U.S. population?
Wise: The United States has always allowed traditional information operations to be part of the covert action toolset. There are clearly significant overt control and oversight mechanisms in play when the U.S. decides to go down the covert action path – it doesn’t matter whether its physical covert action or cyber covert action. But the U.S. wants to have a capability to provide messaging to broad targets, or perhaps maybe very precise targets. This is part of the multiplicity of functions that a point of presence in cyberspace gives you. You can inject malware and collect from your presence, and you could certainly use that as an entry point for messaging to broad or very precise targets.
TCB: What kinds of countries are more susceptible to these kinds of messaging operations? For example, in democracies it might get messy because disinformation can impact elections. But in autocratic countries, where they might require information control for the regime to survive, it could negatively effect them in the long-run.
Wise: The Russians mounted a very complicated, well-coordinated, and well-adjusted program to provide disinformation. In the United States it was effective, because of the free flow of information and the openness of our information systems – everything from media to social media to blogs. The opportunities for messaging are far greater in an open society than it is in a closed society. It gets a little messy because there are so many different ways that people in democracies get information, but at the same time there are the large number of people who follow specific publications. There are points in a democracy where one could economize information operations.
In a closed society, access to information is tightly controlled, so it is not like it is going to be as easy to pop up a dissenting website whose purpose is to provide counter information to the state-owned media organs. The government would find that right away. Granted, websites are just URLs, so you can put the location of the servers anywhere you want. These are not like a newspaper or a radio station that opens up in the autocratic country and the next thing you know the thought police are kicking the door down and arresting all the people. The security organs of an autocratic society can clearly identify when non-traditional information starts to exist in their society. This is a lot easier for them than democracies because they already tightly control their information.
That said, you could have one of these cathartic events, where instead of a fruit seller committing suicide in North Africa to start the Arab Spring, there was a cyber analog to that. You could have a cathartic event, where all the conditions are set for an autocratic society to be tipped over by some form of cyber propaganda – which I suppose is possible, but I think that is unlikely.
TCB: Given the multiple audiences that cyberspace enables, is the intention of cyber-enabled information warfare more for strategic communications that push a specific narrative, or is it rather intended to confuse and subvert institutions of power?
Wise: It gets to the heart of the issue – the inherent multiplicity of uses of the cyber tool means you can do all of that. When the Russians tried to manipulate our electoral process, it was very strategic. When they hacked into Clinton campaign manager John Podesta’s email, it was very tactical. There was strategic context for the tactical information that they got by hacking into Podesta’s email.
There were probably people back in Russia who were looking for any vulnerability to allow access so that they can blackmail somebody to do something for them or tell them something. Then there are the Russian Ministry of Foreign Affairs consumers of the stolen emails who are looking to go out and say, if the Democrats win the election, what are likely to be the policy outcomes? There are all kinds of different consumption, but the reality is the hacking of the emails and the creating of fake personas on social media was designed to support a grand strategic objective. Yet at the same time, each one of those things is a discrete act. Some human had to actually plan out what the Facebook page is going to look like, what the objective is, what the target audience is, and how to create the account so that it isn’t apparent that it is fake or tied to the Russian Federation. So there was a lot of very intensive operational planning that had to go into the discrete parts, all of which had to work in some collaborative fashion to support the overall strategic goals.
Yet, at the same time, we have gone toe-to-toe with ISIS on ideological recruitment messaging. Is that strategic or is that tactical? Are you trying to prevent one guy from getting on a plane and going to Turkey, or are you trying to put the messenger out of business by either discrediting that particular messenger or through cyber means that determine he is on the corner of 5th and Main and then have a 500 pounder take care of him? So the line between where tactical actions end and strategy begins is sometimes indistinguishable.
TCB: What level does cyber espionage then play in the lead up to information operations, such as weaponizing emails stolen from the Democratic National Committee?
Wise: In regards to a cyber tool, it is just an operational act in which case you have to characterize the environment that you are seeking to create an outcome. Cyber is a way to characterize the environment and the target – which may be a nation, an individual, or anything in between. You can then use cyber tools to extract information to give you very precise targeting data.
Take, for example, the recent Equifax breach of a 143 million records. Those are not indiscrete data points, those are 143 million people. The data holdings by Equifax were everything from social security numbers, email addresses, phone numbers, bank balances, credit card numbers – anything in your credit report. This can be used to characterize a target audience.
Now if you are in the information injection mode – such as planting an article in the newspaper in Nigeria, for example – the article has to look like it came from a Nigerian, it has to carry Nigerian resonant messaging, it has to look authentic so that it doesn’t seem like some American wrote it. There is a talent and artistry to creating the message, but cyber is a means to get that message out.