EXCLUSIVE INTERVIEWS — In the final days of one of the most consequential U.S. presidential campaigns in memory, outside threats to the election remain a high risk. As The Cipher Brief has reported, there is heightened concern over foreign interference from several quarters, much of it driven by new technologies that have made it easier for adversaries to meddle in the process.
The Office of the Director of National Intelligence (ODNI) has repeatedly warned that Russia, China and Iran are using generative artificial intelligence (AI) technology to spread dis- and misinformation about the presidential candidates, and amplify political divisions. Cyber threat actors have also tried to hack into the presidential campaigns; reports suggest that Chinese hackers who broke into U.S. telecommunications networks last month targeted the phones of former President Donald Trump and several of his family members, as well as members of Vice President Kamala Harris’s campaign staff.
The election interference threat was a key subject of interest at The Cipher Brief 2024 Threat Conference. Our chief international correspondent Ia Meurmishvili spoke with Glenn Gerstell, former General Counsel at the National Security Agency, and Sandra Joyce, the head of Google Threat Intelligence, on the sidelines of the conference to discuss the risks, the role of social media, and how strong public-private partnerships help bolster our election system’s defense.
The picture in these last days before the election is “cautiously optimistic,” as Gerstell puts it. “The intelligence community is on high alert, and we’re seeing efforts across the board to safeguard the integrity of the elections,” he said. “But we need to stay vigilant and ensure that we continue adapting to the evolving threats.”
These conversations have been edited for length and clarity.
Meurmishvili: With the elections coming up, where do you see some of the external threats, particularly from foreign interference?
Gerstell: Unfortunately, we do have to worry about foreign interference in U.S. elections. We saw this back in 2016, where Russia attempted to influence the presidential elections. The pattern continues, with disinformation and attempts to interfere in political campaigns being the primary tactics. We're not likely to see direct interference with voting machines, but the disinformation aimed at sowing discord is already happening.
Joyce: Cyber threat actors from Iran and Russia and China – we have been watching them all interfere with elections or with the information space over the last several years. We have been tracking very specific threat actors who are doing this type of activity. We recently published a report about a group we call APT42, an Iranian threat actor that has been targeting both sides of the campaign. It's almost that they don't necessarily have a favorite candidate. They just want to sow some discord in American elections. That's what we're tracking right now.
Meurmishvili: Do you anticipate the same level of interference, or do you think the threat is evolving?
Gerstell: We’re seeing similar patterns, but it's evolving. For instance, we’ve recently seen efforts to share false information on social media platforms, and in some cases, there's been hacking attempts aimed at campaign infrastructures. This disinformation is not limited to Russia anymore—other actors are also getting involved.
Joyce: (In the case of Iranian hacking group APT42), the threat actor actually leaked – they didn't just hack in, but also leaked this information. That's something that was new for this threat actor. But we've seen hack-and-leak quite often as a tool for some of these threat actors who have done this. The GRU, for example, from Russian intelligence, has done that hack-and-leak as well. Basically, what we're looking at is either an intrusion or information operations or a hybrid of both.
Looking for a way to get ahead of the week in cyber and tech? Sign up for the Cyber Initiatives Group Sunday newsletter to quickly get up to speed on the biggest cyber and tech headlines and be ready for the week ahead. Sign up today.
Meurmishvili: What do you think about the overall readiness?
Gerstell: The intelligence community is doing a lot. We’ve seen it evolve, particularly after 2016. Agencies like the NSA and FBI have stepped up their efforts, and we've seen bipartisan support for measures aimed at countering these threats. The intelligence community remains vigilant, especially with Russia, but also with other foreign actors.
Joyce: The good thing is that a lot of this election interference from foreign threats doesn’t really amount to much. I'll give you some examples involving Chinese information operations – more specifically, pro-China information operations, like a campaign called Dragon Bridge. What we have seen is attempts to create narratives that are anti-US, and pro-China. We have seen them do their narratives and push out these agendas in over 10 languages, on 30 different social media platforms.
However, when YouTube is taking them down – they took down 57,000 YouTube channels that Dragon Bridge tried to put out there, and 80% of them had zero subscribers. Similarly, 900,000 videos have been taken down from that same threat actor, and about roughly 70% had viewership of less than a hundred, and about 30% had zero. So really what we're looking at there is that there's not a lot of organic engagement with these information operations. So I would say that while there's a lot of effort from the Chinese side going on, it doesn't seem to have the impact that they probably want.
Meurmishvili: What do you ascribe that to?
Joyce: I think everyone wants to be an influencer, but not everyone understands their audience. First of all, YouTube taking them down obviously takes away the opportunity for those to get propagated further. But also, when you're doing an information operations campaign, you really have to understand the psyche of your target audience. And maybe they just haven't gotten that good at that yet.
Meurmishvili: How does the U.S. balance protecting elections with ensuring free speech and expression?
Gerstell: That’s always the delicate balance—protecting democratic processes while upholding free speech. The U.S. is very cautious when it comes to limiting speech, even in the context of foreign disinformation. Unlike in some other countries, we don’t have mechanisms to simply shut down disinformation sources, because of First Amendment protections.
Meurmishvili: What role does social media play in this, especially in terms of disinformation?
Gerstell: Social media is a huge vector for disinformation. The platforms have made some strides in minimizing fake news and misinformation, but they still have a long way to go. The ability to create fake personas and spread false information remains a significant challenge, and bad actors continue to exploit this.
Meurmishvili: Given the strides made in tackling disinformation, are you satisfied with where we are, or do you think more needs to be done?
Gerstell: We’ve made great progress, especially with platforms like Facebook, Twitter, and YouTube, but it’s an ongoing battle. We’ve introduced programs to minimize misinformation, but disinformation evolves rapidly. The key is that platforms need to continually adapt and build robust systems to identify and eliminate fake news.
There’s always room for improvement. Social media companies and governments are collaborating more, but the nature of disinformation is that it’s constantly evolving. We need to stay ahead of the curve and maintain vigilance.
Are you Subscribed to The Cipher Brief’s Digital Channel on YouTube? Watch The Cipher Brief’s interview with CIA Director Bill Burns as he talks about The Middle East, Russia, China and the thing that keeps him up at night.
Meurmishvili: Let's talk about private-public partnership in this. How important is that partnership, in terms of securing elections?
Joyce: I think that the public-private partnership is probably the single most important thing we're talking about at this [Cipher Brief Threat] conference, because the threat landscape is so vast and everybody has a different perspective. Everybody has a different view, different authorities, different regulations, and the only way we're going to be able to really attack the problems that are here in the world is through those relationships where we come together and solve problems. I think that's how important it is.
From my perspective, the industry and government partnerships around cyber threats specifically have never been stronger. There are a few reasons for this. The CCC (Cybersecurity Collaboration Center) at NSA has created an opportunity for businesses to work with NSA in an unclassified setting, really highlighting threats that they see in industry that perhaps the government didn't see before, which can protect thousands of organizations. We have things like the JCDC (Joint Cyber Defense Collaborative) with DHS and CISA, so you can see that the government is taking that public private partnership very seriously.
Meurmishvili: Are there any measures that you would like to see that would make some of these efforts even more effective?
Joyce: Mandiant Intelligence is part of the organization under Google Threat Intelligence, and so we have this very good perspective of incident responses. Mandiant responds to over 1300 incidents every year, and we get a first-row seat in seeing what threat actors are doing. When I spoke to some of these incident responders, I said, Well, what would be three controls you could do that could take care of the biggest amount of these threats?
And it was the following: One was to use multifactor authentication. To have a modern EDR (Endpoint Detection and Response) solution across your entire deployment, (with) a hundred percent of endpoints, which is harder than it sounds. And then we know that from our incidence reports, we have often seen that there was an alert, an initial alert that was either ignored, misunderstood or deprioritized. So having a process around that kind of thing.
There's never a silver bullet, and all of these have their own vulnerabilities associated with them. But if a company or an organization were to be able to do something like this, they would take care of the vast majority of the commodity threats that are out there.
Meurmishvili: Some of these actors are using technological advancements to amplify their messages. Is the U.S. government fast enough to respond?
Joyce: I think that it's not a question about if the government is fast enough. I think with emerging technologies and the threats and opportunities that those create for us, it's really a whole-of-society approach we need to take.
Take AI for example. What's really, really crucial there is that it is the kind of productivity tool, the type of tool that is going to change everything — it already is changing everything. And so we want to make sure that we are ahead of threat actors who are going to eventually be using it for their purposes. And they are in some cases already doing it. We have seen them try to sell jail-breaked versions of some of these chatbots in the underground. We have seen them use it for deep fakes. We've seen that type of thing.
But what we haven't seen yet is, for example, an incident response that we've done where AI was the tool, a game-changing tool for a threat actor. We haven't seen that yet, which to me means they're still experimenting. And we have the opportunity — government, industry, organizations, nonprofits, all of us — to walk forward understanding how we want AI to shape our lives together, what our standards are, what the regulation should be, and that we stay ahead in this technology so we can use it to defend ourselves.
Meurmishvili: Do you feel optimistic about the upcoming elections, given all the challenges?
Gerstell: I think we have reason to be cautiously optimistic. The intelligence community is on high alert, and we’re seeing efforts across the board to safeguard the integrity of the elections. But we need to stay vigilant and ensure that we continue adapting to the evolving threats.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief because National Security is Everyone’s Business.
