Cybercrime is an increasing threat that has expanded its sinister portfolio to include not only attacks on our money and privacy, but even our perceptions and beliefs.
President and CEO of Fortalice Solutions Theresa Payton is an expert on the subject and the methods for combating cybercriminals of all stripes. And as one of Security Magazine’s “Top 25 Most Influential People in Security,” she’s a regular guest on network news programs and starred in the reality TV series “Hunted.”
Her latest written work, Manipulated: Inside the Cyberwar to Hijack Elections and Distort the Truth, profiles the cybercriminals waging a global war against the operations of governments and corporations, while shaping the perceptions of the average person. She explains how tech has been weaponized to obfuscate or suppress the truth in a multitude of ways, intending to influence the beliefs of Americans and people across the world.
“These attacks were designed, in many cases, to afford the masterminds behind them to have plausible deniability,” Payton explains. “The question that should be asked by an international review panel is this: Were Americans in our presidential elections, the British in the Brexit vote, and perhaps other global citizens coerced by manipulated social media newsfeeds to act in a way we wouldn’t have otherwise? Or did nation state operatives in Russia, China, Iran, or North Korea; unscrupulous political operatives; and other cyber operatives guide our minds in a direction many of us went along with all too willingly?”
Payton will join UVA McIntire Professors Ryan Nelson, Director of the Center for the Management of IT (CMIT), and Ryan Wright, Associate Director of the Center, for an hour-long virtual discussion at noon on July 30 to examine the many threats that are changing the very nature of how we interpret our world and act in it.
In advance of the special online event, we spoke to Payton about a few of the important subjects she investigates in her new book to better understand the startling and pervasive nature of these issues.
Who are “the manipulators” responsible for the bulk of attacks?
It varies. It’s vital for everyone to know that it’s not just nation states; it can be someone with a political agenda, cybercriminals, and the responsibility lies with each of us to spot and stop these campaigns. I dedicated Chapter 4 of the book to a review of the manipulators and their methods. The challenge we face is that it requires creativity and dedication to pull this off and not much more than that. Many of the misinformation and manipulation campaigns launched cost little financially to amplify. When you think of any country that would attack the United States and our allies through cyberattacks or social media, what names come to mind? For many, if I asked you to name out loud a list, Russia is almost always mentioned first. This is then followed by a short list usually including mentions of China, North Korea, and Iran. However, they don’t own the market on manipulation campaigns.
New players are also entering the world stage, and they are quite good at misinformation and manipulation campaigns. According to international reporters and the Pulitzer Center on Crisis Reporting project, they found that in Hungary the Orbán regime now controls Hungarian news media either directly or indirectly. The transition began over a decade ago, and it has paid off—not for the people of Hungary, but for Hungary’s communist Fidesz party. In less than seven years, 90% of the media is now under the direct control of the government or indirectly via friends of Fidesz. Why conduct a social media manipulation campaign if you can control your own news media? The freedom of researchers, reporters, and news media is under attack. Without a free press, who are we left to be able to believe? That’s what the manipulators want. If you doubt what you read with your own eyes, it leaves you open to their schemes.
Are certain types of tech more vulnerable? What about certain types of organizations? Are there some that are at greater risk?
When I think about our necessary transformation efforts due to COVID-19, it exposes technology, and now almost everything is, sadly, more vulnerable. What happens over the next several months could be the fastest reimagination of our economy in recent history. Some of those changes are the result of the pandemic, such as consumer-facing companies adapting contactless services that reduce the ability to transmit any diseases. We know that cyber operatives are constantly innovating, and they will be ready to take full advantage of these changes. I highly expect to see cybercriminals targeting contactless services, apps, devices, and transactions. They will also spend more time targeting AI customer service bots, AI decision-making engines, and any processes using AI. Why? Although projects have been in the works for years, many are accelerating. That acceleration moment is usually when cybercriminals decide it’s worth the time and effort to pounce—businesses reach critical mass using the technology and race towards it. It’s at that tipping point that we see in my business at Fortalice that cybercriminals strike.
How has harboring a healthy skepticism informed what you do in your work? How has it influenced how you went about choosing what aspects of cyber warfare to write about in your most recent book?
In the prologue for Manipulated, I tell a little story about my Irish gram, may she rest in peace, and the wisdom she passed along to me to always ask lots of questions and to be a skeptic. UVA encourages students to nurture being a skeptic—my classmates and I were encouraged to challenge our own theories and the theories of others and to logically find at least one or more alternate hypotheses. That wisdom shapes how I approach my work. I’m often quoted saying, “It’s only paranoia if it’s not true.”
I felt compelled to write about the tactics, protocols, and motives within the cyber warfare of manipulators in my book because we do not have a good cybersecurity posture to combat it. Although cybersecurity is not perfect, we have spent the last decades thinking through how to protect how you log onto systems, how to track information, and ways to secure it better. More needs to be done but we have frameworks, certifications, and degree programs that focus on these elements. Combatting misinformation and manipulation campaigns is a necessary addition to combatting cyber warfare, and it’s a nascent capability at best.
Have there been any positive signs or initiatives concerning the struggle against cybercrime that might provide any hope for the future?
The statistics show good news and bad news. Bad news: Cybercrime still happens, and it’s costly to stop, prevent, contain, and minimize downstream impacts. Good news: We have a better common body of knowledge and international information sharing and cooperation that are improving our ability to detect and deflect some attacks.
There are many wonderful innovations and successes that provide glimmers of hope. One example is we are on the verge of technology truly improving security of information and transactions that also reduces friction on the end user. For example, wouldn’t it be lovely if you could log into your bank account just to see the balance with the phone you always use, with your voice and your face? And then, if you wanted to go deeper and conduct transactions or view more details such as your name, account number, and more, that the system would ask you more security-oriented details? Situational-based cybersecurity is still in its early stages, but it’s an exciting time!
As we rely on tech for so much of what we do in our professional and personal lives, how can we as individuals actively protect ourselves?
One day, we’ll have true behavior-based and situational-based cybersecurity, but until we do, leverage multifactor authentication at every opportunity. Consider having an email account that’s reserved for items such as banking or health insurance that you do not use for social media. And always remember, using free WiFi without proper precautions such as antivirus, antimalware, and a privacy-focused VPN is like picking up a toothbrush off the ground and brushing your teeth with it. Yucky thought, but you’ll remember that advice next time you are tempted! You cannot trust the security hygiene of free WiFi.
To hear more of Payton’s insights on these types of cybercrimes, register for the webinar, A Conversation with Theresa Payton, Author of Manipulated: Inside the Cyberwar to Hijack Elections and Distort the Truth.