The obvious story as of this writing is the slow-motion catastrophe of the novel coronavirus referred to as COVID19. While the medical struggle around this pathogen is harrowing and full of heroes (and villians), another struggle has emerged more in line with the political and economic consequences of this disease. Specifically, multiple entities detected disinformation campaigns surrounding COVID19, with sources attributing some of this activity to Russia, and other activity to the People’s Republic of China (PRC). While direct, focused attacks against infrastructure supporting COVID19 response (DDoS’ing a hospital or launching a disruptive payload against logistics companies) is fairly clear in both impact and (perceived) response and retaliation, these campaigns are more subtle and insidious and do not readily lend themselves to responses that are either deterring or retaliatory in nature.
The goals of the information operation campaigns targeting western (and primarily US) COVID19 activities are somewhat different. While the PRC-associated campaign appears focused on directing attention (and blame) for COVID19 to the United States, Russian-linked actions appear more aligned with causing general chaos and uncertainty amidst a crisis situation. However, both campaigns align quite nicely with a concept I’ve written about earlier on this site: “kicking while down”. To summarize this earlier argument, an attacker can maximize impacts (or “boost” an event’s impact from local, short-term disruption to wider, longer-term dislocation) by timing information operations activity with exogenous shocks.
Previous examples cited included a “well-timed” Ababil campaign to coincide with a financial crisis or panic. However, the current situation within the United States presents a uniquely enticing opportunity for an adversary desiring to weaken, disrupt, or otherwise sow chaos within the country. Given the almost laughable, certainly incompetent response by US authorities to COVID19 – from faulty testing kits to inconsistent messaging on quarantines and distancing – an interesting space opens for a capable, determined attacker to exploit. Namely, there exists within the US not only a situation of social and economic disruption to take advantage of, but also an increasingly potent distrust of authority and institutions (political, medical, and economic) given the bungled response to a generational crisis and subsequent political and social backbiting. Within this permissive landscape, an attacker need not necessarily engage in widespread influence operations, such as the IRA campaigns during the 2016 US presidential election, to have an effect. Rather, selective “nudges” and subtle messaging alongside existing narratives within a panicky communicative ecosystem ripe for influence (and seeking any direction in the absence of firm leadership) can begin driving events toward an adversary’s goals.
Precise analysis of what options an adversary has available in such a situation or how effective such actions might be is a fascinating conversation – but not the discussion to be had today. Rather, this essay was prompted by a comment on social media focused on how the US (and, provided most activity resides within the cyber realm, USCYBERCOM) might (or could) respond to disruptive activity inhibiting COVID19 response. My initial answer – given the limitations of the platform in question – was terse and could be interpreted as glib. Yet at the same time, I think there is definitely a concern on this subject, both given the topic at hand (ensuring the operational integrity and efficacy of response to a pandemic) and the entity largely charged with response and defense (presumably USCYBERCOM if we’re speaking not merely of defense – which would theoretically fall under CISA – but rather response and possible retaliation). Yet while the “ideal” discussion for USCYBERCOM concerns a direct, disruptive attack on critical infrastructure in a crisis situation, events as they are playing out reflect the more insidious, indirect operation that has given western authorities so much trouble in the past. Evaluating response and defense therefore requires first understanding just what is happening at present, then taking a look at what options exist within the current menu of policies and capabilities to actually do something about it.
To begin with the former, operations designed to complicate or disrupt the response to a medical emergency are somewhat unique within the realm of cyber influence operations – but not within the realm of overall information warfare. For example, the Soviet Union’s intelligence services worked to take advantage of a previous example of inept, bungled US response to a medical crisis with the AIDS epidemic in the 1980s. While that particular example did not result in any substantial panic or disruption, echoes of this campaign continue to the present day with persistent conspiracy theories of AIDS being a US-government bioweapon gone wrong. The subsequent mistrust created complicated responses and messaging, and undoubtedly increased friction in efforts to counter and contain the epidemic.
While the AIDS epidemic was a terrible, and terribly mismanaged, event, in scope, scale, and timing it pales in comparison to what the world is now experiencing with COVID19. As such, the pandemic contains a greater potential for weaponization given its wider impact, rapid spread, and quickly-manifesting impacts. When combined with the only currently known effective way of combating this pathogen – isolation and extreme social distancing to limit spread and reduce the immediate frequency of infections – this disease also contains the ability to inflict severe economic dislocation. Such impacts and actions reverberate throughout a society – and thus present an attacker with an extremely vulnerable target for influence and manipulation.
When combined with incoherent, inconsistent, or simply incredulous messaging by political elites, a very interesting situation reveals itself. The dislocation between the medical and economic impacts in daily life and the “keep calm and carry on” messaging of some political authorities (principally the United States) births a space for narratives pushing back against both: that either the impacts of the disease are overblown (for whatever conspiracy theory reason you would prefer), or politicians are willfully endangering either the lives of constituents (by taking lax action) or their economic well-being (by acting decisively to limit spread). This presents a host of possible ingress points to inject information into a frazzled and stressed communicative landscape to shift, nudge, or simply throw chaos into existing conversations on the COVID19 pandemic and its response.
So opportunity certainly exists – what options are present to actually combat or otherwise push back against such attempts? Typically ethical and legal perspectives on response and retaliation focus on the concept of proportionality – that a response to an attack or injury be in line with military objectives and not unnecessarily or needlessly excessive in damage and dislocation. In the case of an attack against a medical response – not necessarily something overt such as launching a form of wiper malware against a hospital, but instead an indirect campaign to undermine authority and sow chaos through information warfare – questions of proportionality become quite interesting rather quickly.
For example, a “tit for tat” response to such a campaign – even if conducted in the same manner (influence and disinformation operations) – would primarily impact civilians in the adversary state. Certainly state power, authority, and potentially even viability could be impacted, but noncombatants will be disproportionately harmed, and some will die, as the result of such an action. One could try to argue that this response is inline with and commensurate to the actions taken against the defender (in this case, the United States), but I am not familiar with any legal opinion – let alone ethical argument – indicating that one may respond to what is essentially a war crime by committing another. Ultimately, any sort of attack or deliberate disruption against an adversary’s medical infrastructure and response would appear disallowed and impossible for any entity remotely abiding by the law of armed conflict and similar frameworks.
So what sort of options are available to counter or impose costs on an adversary leveraging a “light touch”, information-focused campaign free of the sort of direct action that matches well with conceptions of response and retaliation? Well – I’m not really sure to be honest. US government actions to counter cyber operations typically fall into two buckets: disruption operations aimed at taking away or degrading an adversary’s ability to operate led by USCYBERCOM (from infrastructure/capability takedowns to coordinated malware disclosure to direct action against aggressor entities) and sanctions or legal “name and shame” operations typically orchestrated by the US Department of Justice. Given that the situation at hand is one of immediate concern, the legalistic approach appears wholly inadequate given the time required to gather evidence, formulate policy, then let actions (such as sanctions) take effect.
So that appears to leave us with the military approach, yet there are no good answers here either. Operations to identify then disrupt the infrastructure or capabilities of those disseminating misinformation are certainly possible, but as I’ve discussed previously, they quickly begin to resemble a game of “whack-a-mole” if an attacker is determined and begins spinning up additional, harder-to-attribute infrastructure. Short of declaring war on the internet itself or completely isolating one’s own communicative space from outside entities (neither of which appears possible, let alone desirable, in a liberal democratic society), such a fight is a costly, losing battle. One might be able to generate metrics of perceived success and progress, but such items will be no different than the ephemeral measures of success frequently trotted out in long-running, costly counter-insurgency warfare.
Yet the need to at least be seen as “doing something” will likely push policy makers and operational leadership to reach for familiar hammers as all problems are reduced to comfortable-looking nails. I suspect in the coming weeks (and likely months) we will hear about how USCYBERCOM (and maybe similar entities in other states) conducted operations to disrupt or limit the ability of malicious entities to wage disinformation campaigns around COVID19 and related activities. And while these will yield breathless media reports about a new era of cyberwarfare and lead to no shortage of academic papers and cyclical back-patting among the Washington DC intelligentsia, their actual effectiveness will be fleeting at best. Such actions, while scratching the annoying itch to do “something”, simply fails to grasp the true problem. To paraphrase a bit of Tony Blair in one of his more lucid and sane moments, while we would like to be tough on information operations and misinformation campaigns, truly resolving them means being tough on the causes or enabling factors that allows such campaigns to be successful.
So what does that look like? Well, we already are witnessing certain items on both the federal and local level in the United States to try to push back against misleading or outright harmful messaging. For attacks that are fueled and enabled by misconception and poor communication, direct, easy to understand, and fundamentally simple messaging on vital subjects (such as COVID19 response and prevention efforts) is not merely desirable, but absolutely necessary.
To some extent, especially when matters require a “whole of population” understanding and response, we have already set ourselves up for degrees of failure by using complex, relatively new terminology (e.g., “social distancing”) as one of the primary efforts to counter COVID19. Yet while this is undesirable and has made matters more difficult, neologisms and fuzzy or new language are not the primary problem. The chief issue at hand lies with the schizophrenic response to the COVID19 pandemic in a number of western societies – chiefly the US, but nearly every western democracy has had its “stay calm, all is well, carry on with your lives” moment throughout this crisis. Essentially, the communicative landscape surrounding an issue of vital personal (as well as national and social) importance has been almost irredeemably muddled by poor, mixed, or outright conflicting messaging. Every unhinged press conference, every swiftly-debunked falsehood or exaggeration, every faulty assumption produces ever more space and breathin-groom for malicious messaging and information manipulation. While we may decry the opportunism of Russian or Chinese-related entities for attempting to leverage a health crisis to further disrupt societies already under immense strain, at the end of the day the victims have only themselves to blame for enabling these attacks.
Thus, we are left in a very rough spot. USCYBERCOM and similar entities may work diligently and tirelessly to combat the symptoms of information warfare as made manifest by external malicious actors, but the root causes enabling this situation lie within the very societies defended. Unless we, as liberal democratic societies, collectively “get our shit together” in this time of crisis, not only will we increase the difficulty in responding to the pandemic, but we will also further facilitate others to prey upon our division and discord to create further disruption. And while each of us has our own role to play in this regard – from questioning a message before hitting “like” or “re-tweet” in social media to taking personal responsibility for actions that have repercussions beyond our own selves – ultimately a leadership vacuum exists that makes all of the above that much harder to execute. Although not exclusively at fault for matters, the lack of confident, informed, and capable political leadership in the United States will enable external entities to continue sowing discord within this society, and we will pay for this ineptitude and ignorance with the lives of our fellow countrymen and women.