Covert Influence? Here's How it Relates to Infosec.

Man in black hoodie with a Guy Fawkes mask on the back of his head.

In August 2022, The Washington Post reported that Facebook and Twitter removed a covert influence campaign disseminating Western strategic messaging re: Ukraine in the Middle East and Asia.

A number of commentators seemed surprised to learn that, like other nation states, the United States probably engages in covert influence on the internet. As a former executive officer of the CIA’s Covert Action Staff, I’m unusually familiar with covert influence tactics.

In my current role at SideChannel I see a lot of covert influence at work in various organizations; sometimes by nation-state actors and sometimes not.  Here’s how I see covert influence show up in the workplace and how it relates to cybersecurity.

A Primer on Covert Influence

Strategic messaging and influence operations, whether covert or overt, are a massive part of life in the developed and developing world. We’re swimming in influence operations run by international corporations. The other word for this activity is “advertising.” The only difference is that government influence is designed to achieve political objectives, while corporate influence is designed to facilitate the redistribution of wealth to shareholders.

Most knowledgeable observers agree that corporate influence operations are more effective (and, consequently, more damaging) than government influence operations; even in the social and political sphere, but that ground’s already been covered elsewhere.

The vast majority of influence operations are overt. If you’ve seen ads urging you not to drink and drive, smoke, or rape people you’ve been targeted by government influence. Propaganda reforms left a cut-out for “publicity” targeting Americans; broadly, if your message is overt political advocacy then it’s still permissible. It’s no coincidence World War II is viewed by many Americans as the last “good” war and is also the last war where censorship and propaganda were legally used to manipulate Americans’ understanding of what was going on.

Most foreign influence operations conducted by the United States government are the equivalent of this: ads encouraging foreigners not to join al Qaeda, not to support their government’s nuclear/biological/chemical weapons program or the local cartel. These operations are done with attribution, meaning that somewhere in the ad, there’s a logo or other indicator that the message is funded by the US government.

Imagine a Superbowl ad where a cowboy driving a Chevy pickup truck asks you to embrace adventure and become a foreign fighter. A tagline at the end says “This message brought to you by ISIS.” You get the gist. For the most part, these messages are laughably ham-fisted and are openly mocked by their targets on social media and in extremist forums.

There is, however, an entity within the US government that is allowed to undertake covert influence operations: the Central Intelligence Agency. While the DOD is authorized to do clandestine operations, wars and other military actions are inherently public actions. While war was once considered diplomacy by other means, modern warfare–4th generation warfare–is public relations by other means.

Covert action, on the other hand, is reserved for the CIA under the direct authority of the President. Covert action is a mechanism by which the President can carry out policies that are intended to remain secret forever (results vary). Most of the time, covert action is just a continuation of an administration’s policies using mechanisms that wouldn’t work with attribution. So too with covert influence. The reality is that a lot of modern political conversation and social consensus emerges on social media, so if you want to influence those conversations, that’s the sandbox in which you have to play.

So, generally, when you see US-aligned messages being disseminated en masse with attribution, you’ll know who’s responsible for it. If you see US-aligned messages being disseminated en masse without attribution, you can assume it’s being done by the CIA (or on their behalf) under covert action authorities, since they’re the only US entity authorized to engage in that kind of activity.

Spotting Covert Influence in Your Organization

Currently, $78 billion is lost annually to private firms due to disinformation, and 87% of executives say the spread of disinformation is one of the greatest reputational risks for businesses today.

We’re watching the Russians successfully use social media to influence western political conversations and, arguably, outcomes with this kind of disinformation. Undoubtedly, CIA leaders briefing Congressional Oversight Committees are being asked why they can’t achieve similar effects.

The possibility of accomplishing ambitious strategic objectives without firing a shot and for relatively little money must be tantalizing. And it’s not necessary to use disinformation to accomplish your objectives. Often, the best propaganda is true.

Which is all to say that, in much the same way cybersecurity professionals have gotten used to seeing nation state threats sniffing around and sometimes penetrating our networks, we can expect to see them on social media and in our intranets as well.

In the geopolitical sphere we often witness covert influence sway actions or thoughts. At work, it still sways thought and often presents as blockers, or prevents action. Covert influence is often a contributing factor to failed projects and ineffective change initiatives because change leaders fail to recognize covert influence at work and acknowledge the organizational dynamics that are also at work in their organizations.   

To effectively combat covert influence at work, one must understand objectives and the unwritten rules of their workplace. Their understanding of these dynamics, helps us identify them.

So What?

You may notice that information security people are spending more and more time talking about disinformation and misinformation. That’s because hacking has always been about systems more than technology. Often the most reliable method of compromising an organization involves social engineering or hacking the humans that interact with vulnerable systems. Disinformation, misinformation and covert influence are simply nation states attempting to do this at scale.

As late as the early 2000s it seemed unthinkable that for-profit entities and state and local governments would need to include malicious acts by foreign nation states in their risk analysis. Since then, multiple high-level breaches have caused massive damage to private citizens and companies. The Center for Strategic and International Studies publishes a timeline of significant cyber incidents that result in losses of $1M+ dollars. In recent history:

  • October 2022. Hackers targeted several major U.S. airports with a DDoS attack, impacting their websites. A pro-Russian hacking group promoted the attack prior to its execution.
  • October 2022. Pro-Russian hackers claimed responsibility for an attack that knocked U.S. state government websites offline, including Colorado’s, Kentucky’s and Mississippi’s.
  • October 2022. CISA, the FBI, and NSA announced state-sponsored hacking groups had long-term access to a defense company since January 2021 and compromised sensitive company data.
  • June 2022. The FBI, National Security Agency (NSA) and CISA announced that Chinese state-sponsored hackers targeted and breached major telecommunications companies and network service providers since at least 2020.
  • June 2022. A phishing campaign targeted U.S. organizations in military, software, supply chain, healthcare, and pharmaceutical sectors to compromise Microsoft Office 365 and Outlook accounts.

And those are examples of foreign entities targeting U.S. entities. Now, the private sector will have to consider how covert influence will have an influence on their business.

Large internet companies have set policies and hired teams of professionals to navigate the risks of covert influence along with risks of cyber warfare and espionage. Most small organizations can’t justify the budgets necessary to have these full-time resources. For the rest of us, access to a deep bench of professionals with decades of experience is a massive value for startups and mid-sized businesses. Luckily, practical help is available through our full-service information security firm.

For more information on how SideChannel can mitigate risks in a rapidly changing world contact us.

David Chasteen

David is COO, EVP of Operations at SideChannel. He brings extensive experience from his time spent in the intelligence community and local government. David was most recently CEO for Cipherloc Corporation, CISO for GoFundMe and the San Francisco Police Department; and previously served as the executive officer of the CIA’s Covert Action Staff, a captain in the Army Chemical Corps and is a founding member of Iraq and Afghanistan Veterans of America. He was technical consultant for Amazon’s Jack Ryan and a writer and consulting producer for Amazon’s El Candidato.