Quick 🧵 to wrap up a crazy week in Info Ops land:

I’m confident both Russia, China, and Iran have long-standing, well-formed, multifaceted plans to undermine American democracy, which includes the 2024 election. What we’re seeing with the alleged funding of Tenet Media and the sanctions against the Doppleganger Disinfo-as-Service groups are simply workstreams in a larger Statement of Work (to McKinsey-fy this).

Lots of foreign election influence news/drops this week. Here's one from @CISAgov, @FBI, & @ODNIgov highlighting a few tactics we're seeing from the "usual suspects" (Russia, China, Iran): narrative farming, AI generated images & Audio clips, hack & leaks, paying witting & unwitting cutouts (PR firms!) to spread messages, & flooding social media with content to create illusion of consensus.

So what do we do about this:
1) AI Companies need to monitor & disrupt abuse of platforms (in line w/ the Tech Accord to Combat Deceptive Use of AI)
2) Fed govt needs to ID & intervene in Foreign info ops
3) Election officials need to ramp up communications w/ voters on how elections work & where to get authentic info
4) We (the people) need to become harder targets, take a beat before getting riled up.

Remember, the majority of RU, CN, & IRN efforts target on existing divides, they're playing us against each other. If there's one thing most people hate is getting manipulated, and the Kremlin is trying its damnedest here...

cisa.gov/sites/default/…

Here's one from yesterday on a leaked Russian document detailing strategy & objectives:

- Undermine the west
- Cozy up with other Authoritarian regimes
- Flip the Rest of World against the West

We've seen plenty of this at @LabsSentinel in our analysis of DoppelGanger

washingtonpost.com/world/2024/04/…

Timely piece here by @Lingling_Wei on internal clampdown by Chinese security services on foreign businesses and cascading effects on capital flows.

A few thoughts (w/ a h/t to @KrebsStamos China expert @DakotaInDC for shaping the 🧵).

https://twitter.com/lingling_wei/status/1659276981425303568

No question there’s an acceleration of hostile action against foreign companies. A combination of new laws/regs and actual enforcement (evidenced by Bain/Capvision/Mintz raids) laying the groundwork for more of the same. Question for companies building out in China: You ready?

There’s a subplot in today’s RU/US exchange. Any time you do a deal with the Russians you have to think beyond the headlines. Diplomacy is messy and a bunch of other factors get woven in for more strategic, yet unrelated objectives. The Kremlin uses prisoner exchanges, among other things, for domestic & Intl narrative shaping & influence ops. Worth noting they’ve long stoked racial divisions here and cracked down on LGTBQ communities at home. Not really breaking news but yeah, BG was a pawn here.

The Moore County, NC substation incident is just another in a string of attacks on the US grid. In the last 3 weeks, there've been 6 incidents at substations in the Pacific NW per industry experts. 2 involved gunfire (others vandalism & arson). But they had little impact. We're still trying to figure out what happened in North Carolina (& out west). It could be local rubes taking potshots (happens all the time, actually). But the timing of attacks on 2 substations targeting the *right* equipment, suggests something more coordinated & concerning.

I'd like to highlight a couple notable election-related alerts from @CISAgov & @FBI this week, put in context some recent news, & frame my main areas of concern for threats to the 2022 election (NB: it's not just "Midterms", as there are statewide elections). 1st, this alert from Monday reinforces prior govt position no cyber activity has prevented voting, affected counting, affected integrity of voter info. It goes further, stating that it's *unlikely* cyber itself would disrupt/prevent an election. cisa.gov/sites/default/…

Really loving this alert from USG as it's a timely reminder China security services are still incredibly active against targets in their core areas of interest (intelligence, economic espionage, influence, & positioning for disruptive operations).

https://twitter.com/CISAJen/status/1578091226242650112

It's timely from where I sit because as @alexstamos & I have briefed a bunch of Boards & execs lately, (where most are interested in Russian threats), we're seeing an increasing interest at the Board/C-level in risks posed by China BECAUSE of Russia's invasion of Ukraine.

I can’t believe I have to say this, but just so we’re on the same page, the notion Exec Order 13848 (or any Exec Order) would allow the POTUS to rerun an election, seize election machines, or otherwise allow the Executive Branch to subvert a Federal election is lunacy. EO 13848 lays out the workflow for agencies to analyze foreign interference, assess impact, and implement consequences. What are the consequences? Sanctions. It’s literally in the EO’s title. That’s it.

Hung out w/ Ukrainian fighter pilot callsign Juice last week. He & wingman Moonfish were in DC to brief the Pentagon & Congress on state of play in the skies of Ukraine. It was an incredible honor to spend time with a real hero defending his homeland from Russian war criminals. Not clear the visit had any impact here, but a positive development nonetheless, particularly in the wake of the latest crimes: thedrive.com/the-war-zone/u…

Today seems to be "write a story on the DHS Disinfo Board day," perhaps b/c of @SecMayorkas's Wednesday hearing in Senate Homeland. I'm already on the record (whatever that's worth) in support of coordination w/n @DHSgov on counter-disinfo work. Mainly b/c an internal coordination & governance mechanism is what DHS SHOULD be doing. The group is NOT operational, instead, designed to develop & feed 1A, civil liberties/rights, & privacy protections into operational activities, & ensure department equities are synched.

It's pretty remarkable how far the US intel community has come in counter-active measures efforts in the last few years. The analysis paralysis of the past has been replaced by an intentional workstream declassifying intel to expose plans before they're set in motion. Kudos. There's risk, of course, like "hey, it didn't happen, so you were just making it up!" or "where's the evidence?" But I expect for most, that's fine, b/c there's a very specific audience, i.e., Putin. The message is: "we know what you're up to, you've got leaks, don't do this."

Ugh. I watch this garbage bc it’s important to know what the superspreaders of disinfo are saying. This one single individual is responsible for an embarrassing assault on democracy. He doesn’t give a shit about America. He only cares about himself. We suffer in the meantime. Along the way he has enthralled a political party too scared of the base to speak up and do what’s right. This must end. Tomorrow is the day we celebrate the establishment of America. Of our democracy. We have work to do or this is going to slip through our fingers.

On ransomware, why are things so bad? h/t @ciaranmartinoxf
1) security posture of businesses making it too easy for the bad guys.
2) it's a profitable business model w/ low barriers to entry.
3) no meaningful consequences against the criminals or their hosts to date. Why would the Russian govt allow this to flourish? A few thoughts:
1) builds a cyber workforce they can call on later
2) creates well-paying jobs (& keeps them off the streets)
3) undermines confidence in western citizenry of their govt's ability to defend.

As a contributor and sometime stunt double in the Commission process, I have a lot respect for the work led by Sen. King and Rep. Gallagher. I particularly appreciated that the Commission recommended new authorities for @CISAgov, many subsequently enacted in the ‘21 NDAA.

https://twitter.com/natashabertrand/status/1377612889775820814

The main area where we differed in opinion was with the National Cyber Director, also enacted in the NDAA. I firmly believed (still do) clarifying and strengthening existing agencies was the area that would have the most immediate impact.

Thoughts on the Hafnium Exchange hack: (1) it's going to disproportionately impact those that can least afford it (SMBs, Edu, States, locals), (2) incident response teams are BURNED OUT & this is at a really bad time, (3) few orgs should be running exchange servers these days.

https://twitter.com/a_greenberg/status/1367989352366751746

So what do you do now? (1) patch (if you haven't already), (2) assume you're owned, look for activity, (3) if you aren't capable of hunting or can't find a team to help, disconnect & rebuild, (4) move to the cloud, (5) pour one out for IR teams, they've had a rough year(s?).

At noon today, I felt a huge sense of relief, accomplishment, and closure. The #Protect2020 effort we launched alongside 1000s of partners in the election community came to an anti-climatic, yet powerful close. Democracy held, despite efforts to subvert the will of the people. We all did our part to ensure the 2020 election was as secure as possible. And it was. No Kraken, no zombie dictators, and no widespread fraud. This was a free & fair election. We upheld and defended the Constitution irrespective of political affiliation. Country over party.

In the Summer of '19 @mastersonmv and the @CISAgov elections team started the #WarOnPineapple to raise awareness about how #disinfo campaigns work. Step 5, "Taking the Conversation into the Real World," is what we saw on Weds when incited insurrectionists stormed the Capitol. The rigged election claims had all the hallmarks of a foreign influence operation. From identifying the hot button issue, mobilizing accounts, trolls & other high profile accounts beating the drum, & then hopping into mainstream media. Unfortunately, it was a domestic operation.

"American voters decide American elections" was our mantra this year. That holds true. American voters decided this election. This last ditch effort to overturn the will of the American voter & the Constitution should be called out for what it is: Un-American and anti-democratic. These efforts also reinforce the foresight of the Constitutional framers in delegating the authority to conduct elections to the states, rather than a Federal body. An incumbent should NEVER be able to put their thumb on the scale of national elections.

As news breaks about what looks to be a pretty large-scale hack, I have the utmost confidence in the @CISAgov team and other Federal partners. I'm sorry I'm not there with them, but they know how to do this. This thing is still early, I suspect. Let's let the pros work it. Also, hacks of this type take exceptional tradecraft and time. On the 1st, if this is a supply chain attack using trusted relationships, really hard to stop. On the 2nd, I suspect this has been underway for many months. Need good detections to find victims and determine scope.