Is Social Media a Critical Industry?
Russia interfered in the U.S. 2016 election, but did not materially affect it. That is the public belief of the U.S. intelligence community. It is a serious accusation and has prompted calls for additions to the official 16 critical infrastructure categories. One idea is that ‘national elections’ should be included. A second, less obviously, is that social media should be categorized as a critical industry.
The reason for the latter is relatively simple: social media as a communications platform is being widely used by adversary organizations and nations to disseminate their own propaganda. This ranges from ISIS using it as a recruitment platform, to armies of Russian state-sponsored trolls manipulating public opinion via Twitter.
Russian interference, or opinion manipulation, has not been limited to the U.S. Both France and Germany worried about it prior to their own national elections. On Nov. 3, this year, Damian Collins, Chair of the Digital Culture and Sport Select Committee in the UK wrote to Twitter’s Jack Dorsey asking for information on the so-called Russian Internet Research Agency. He asked for a list of Russian accounts and posts linked to politics in the UK. Brexit is not mentioned, but interference in the UK Brexit referendum is clearly the concern.
One week later, CNN Money reported, “A network of Twitter accounts with ties to the Russian government-linked troll army that meddled in U.S. politics posted dozens of pro-Brexit messages on the day of the referendum on the United Kingdom’s membership of the European Union in June 2016.”
The assumed purpose of Russian interference in politics has been to promote extreme right-wing national populist movements that would weaken centrist governments. This is clearly an ‘attack’ against western nations, delivered primarily via social networks. It is noticeable that in both the US election and the Brexit referendum there was a late and in many ways unexpected shift to the right.
Nevertheless, the idea of social media as a critical industry is a difficult concept. Malcolm Harkins, chief security and trust officer at Cylance, doesn’t think it is a great stretch. He points to the origins of the existing 16 industry sectors and notes that the primary motivation is to maintain their availability following the 9/11 attack.
The DHS introduces its definition of the critical infrastructure with, “There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” These include ‘energy’, ‘finance’, ‘transport’, ‘communications’ and ‘IT’. Maintaining the availability and continued operation of all of these sectors is clearly critical to the well-being of the nation. Maintaining the availability of social media does not seem so critical.
Harkins’ argument, however, is that the world has changed since the origins of the critical infrastructure classification.
Business and society have gone through, and are still going through, a dramatic ‘digitization’ of their operations. The internet and all things cyber have become fundamental to the operation of the economy and society.
“Where cyber is concerned,” Harkins told SecurityWeek, “the ‘A’ of ‘CIA’ is not enough. The Availability of the critical infrastructure must now be bolstered by the Integrity of the critical infrastructure.”
This should not be considered a trivial concern. The manipulation of information has always been a part of warfare, usually as a precursor to a kinetic attack.
“There has always been the notion of information manipulation in warfare — such as deception,” says Harkins. “If you can manipulate your enemy prior to a kinetic event, then you would have advantage over them.”
Alexander’s victory over Porus in 326 BC through the Allied landings in Normandy in 1944, to Stormin Norman’s Desert Storm in 1991 have all relied heavily on feeding the enemy misinformation.
“The world today,” he continued, “is based on information with headlong digitization of both business and society. With everything now based on our reaction to and use of information, the integrity of that information has never been more vital.”
The availability of the Communications and IT sectors is already considered critical, and social media is the most important and widespread platform that unites the communications and IT sectors. If the concept of the critical infrastructure is widened from availability to include integrity, then social media is already, de facto, part of the critical infrastructure. “At what point,” asks Harkins, “does the integrity of the information flowing through the IT sector or the communications sector hit a significant and material risk that will force us to consider it critical?”
How this could work in practice is a different matter, for it couldn’t be limited to integrity in social media platforms. Facebook is not the only advertising medium that could run propagandist advertising (some 3,000 Russia-linked advertisements were placed on Facebook in 2016 apparently designed to influence the presidential election). “My guess is that even well beyond social media, mainstream physical advertising has been bought and used for the purpose of manipulating national sentiment.” If social media can be considered ‘critical’, then the whole concept of Fake News must be treated in the same way.
That would be a major task. Social media is perhaps the most pressing aspect of this, and could even prove a testbed for wider communications controls. ìI think the case increasingly can, and will be made that social media is a part of critical infrastructure in that Twitter, Facebook and other media channels have become the ‘go-to’ resources for a large percentage of Americans,” comments Dan Lohrmann, CSO at Security Mentor. “Yes – social media is slowly becoming a critical part of critical infrastructure for our nation and other developed countries.”
But Nathan Wenzler, chief security strategist at AsTech, is not sure we are ready for this. He takes the ‘availability’ view of critical infrastructure. “Even with the potential influence of the last U.S. presidential election, I do not believe we should be looking at these social media services in the same way we view power, water, and other utility services which are required for people’s daily lives,” he told SecurityWeek. “If social media services were disrupted… there would be some outrage by the users, but by and large, their lives would not be dramatically impacted from a health or well-being standpoint. For this reason alone, I don’t see that we’re quite at the point of considering social media to be the same as these other critical services.”
He believes things may change in the future, but raises two of the many practical problems that will arise: accountability for users and attribution for attackers. Chris Roberts, chief security architect at Acalvio, takes a similar view. “We have little ability or success in being able to protect that which is already classified as critical infrastructure. The red tape is worn thin with excuses: the technology is not in place to deal with both 20 year old systems and modern insecure devices interconnected through a cloud-like pea-soup fog,” he said.
“If you want to consider the core systems as critical infrastructure, then you have to be able to manage, control and understand the access permissions, uniquely identify individuals and put some controls into access and other areas. That both seems like a tall challenge (getting 300M Americans to agree to security controls for their social media) and also something that might eventually break the constitutional rights of those folks to actually speak freely. If you put controls in place, where does that end?”
But if Harkins is right and the concept of integrity will need to be added to the concept of availability for the critical infrastructure, then something will have to change. There are signs that governments are beginning to feel threatened and therefore concerned. The UK government has been particularly vociferous over the last year, telling the social tech giants that if they don’t get their house in order, government will do it for them.
Indeed, the current government’s manifesto (a pre-election statement of intent) contains a strong purpose to control social media. “Some people say that it is not for government to regulate when it comes to technology and the internet,” it says. “We disagree… it is for government, not private companies, to protect the security of people and ensure the fairness of the rules by which people and businesses abide.”
The clear implication is that the tech giants’ protestations of: ‘don’t limit freedom of speech’, ‘legislation will stifle innovation’, and ‘it’s not technologically possible’ will not be accepted. Even U.S. lawmakers seem to be moving in a similar direction. On Tuesday, Nov. 21, counsels for Google, Facebook and Twitter were in Washington answering questions put at the Senate hearing on social media’s role in the 2016 election.
At one point, Senator John Kennedy (R-LA) said, “I don’t believe you have the ability to identify all your advertisers.” The tech companies effectively admitted this — although the reality is probably they cannot control advertising without losing some of it. But if government wishes to prevent foreign entities interfering in future elections, this quality of knowledge is essential. Social media should take note that there is precedent; government has enforced advertising control on new technology in the past. In the 1930s, new radio services carried misinformation and propaganda in the form of advertisements. The government cracked down on this with the 1934 Communications Act, placing greater responsibility on the medium to choose which advertisements it accepted. It could do similar with social media.
The likelihood of some legislative control over social media is growing. In the U.S. the primary concern seems to be its potential for foreign propaganda aimed at controlling national sentiment.
In the UK the primary concern is its use by terrorist groups and organized crime — although there is now some concern that Russia may have attempted to influence the Brexit referendum.
If Harkins is right, then this is really the visible effect of an underlying need to add integrity to the availability of the critical infrastructure. And if that is correct, then the legislation will need to apply to the whole communications sector and not just the social media aspect. But it goes further. If the need to apply integrity has grown through the digitization of industry, then the implication is that it will require confidentiality as well as integrity and availability if its security is to be assured. Confidentiality is best applied through encryption; and we are seeing increasing interest by government in controlling encryption. That, however, is a different battle; and both would benefit from a national debate.