Best Infosec-Related Long Reads of the Week, 4/29/23

New firms tackle misinformation, Biden's spyware order is the first step, Better OSINT needed to spy on China, Latin America views cybersecurity as secondary, We're all soft targets on Twitter now

Metacurity is pleased to offer our free and paid subscribers this weekly digest of the best long form infosec-related pieces we couldn’t properly fit into our daily crush of news. So tell us what you think, and feel free to share your favorite long reads via email at info@metacurity.com. We’ll gladly credit you with a hat tip. Happy reading!

These Online Detectives Have Raised $300 Million to Keep Lies From Triggering the Next Bank Run

Bloomberg’s Margi Murphy looks at how companies like Alethea and Graphika, which wade through the “online muck” using AI software, help organizations protect themselves from misinformation and social media manipulation.

Venture capital firms and private investors committed more than $300 million to these kinds of startups from 2018 to 2022, according to data company PitchBook. Last year alone, Microsoft bought Miburo, founded by counter-extremism researcher Clint Watts, who now leads its Digital Threat Analysis Center; Spotify purchased another extremism monitor, Kinzen; and Amazon.com was among those that invested a combined $24 million in Logically, which tracks digital hate speech, foreign propaganda and crypto scams.

The SVB crisis illustrates why there’s such interest. Built over years or decades, an organization’s reputation represents intangible wealth that can make up much of its value. In the internet era, it can be destroyed overnight. The broader issue would be outright lies, not just posts that fan panic, that undermine the world’s financial system. The European Banking Authority has warned that banks are “vulnerable” to runs because of “­campaigns that spread ­inaccurate information.”

To address this risk, the anti-disinformation startups typically have artificial intelligence software that scours the web for suspicious content. They then issue reports or alert corporate victims about online lies. The companies make money in a variety of ways. Some charge consulting fees or work on retainer. Alethea declined to discuss pricing. One of its main competitors, Graphika Inc., says typical arrangements are subscriptions starting at roughly $100,000 a year.

Biden’s Spyware Order: A Needed First Step

Steven Feldstein, senior fellow in the Democracy, Conflict, and Governance Program at the Carnegie Endowment for International Peace, and Allie Funk, research director for technology and democracy at Freedom House, argue in Lawfare blog that President Biden’s executive order limiting federal agencies’ use of commercial spyware is a good first step in addressing the proliferation of the malware but Congressional action to address spyware at the state and local level, and effort in the international arena is needed.

The executive order’s impact on the global spyware trade depends on subsequent policy action from other governments. If the White House wants to guarantee effective international cooperation on spyware, it will need to use its diplomatic and economic leverage to strengthen that cooperation and encourage like-minded governments to implement common standards.

These efforts are already underway. A new joint statement by the U.S. and 10 other countries outlines their commitment to limiting the use of spyware at home, strengthening information-sharing with industry and civil society, and pressing nonsignatories to follow suit. The Export Controls and Human Rights Initiative, launched during the first Summit for Democracy last year, developed a code of conduct detailing how subscribing states can better incorporate human rights considerations into export controls. And the governments of France and the United Kingdom have agreed to bolster efforts to tackle commercial spyware through the U.K.-France Cyber Dialogue.

Some governments have gone further. Last year, Costa Rica became the first country to call for a global moratorium on commercial spyware. Early this April, the government of the Catalonia region in Spain approved a moratorium on the “export, sale, transfer, and use” of tools like NSO Group’s Pegasus until the government can verify that these firms are complying with human rights.

How to Spy on China

Peter Mattis, Intelligence Director for Intelligence at the Special Competitive Studies Project, explains in Foreign Affairs that the US intelligence community has difficulties understanding Chinese objectives and leveraging that understanding to anticipate Chinese actions, such as a potential invasion of Taiwan, and that one step toward a better US grasp of China’s intent to steal American technology is better analysis of the country’s abundant open source intelligence.

The United States has repeatedly said that it is concerned about China stealing its technology. But if Washington wants to better grasp the aims of these Chinese initiatives, it needs to invest more in collecting, processing, and analyzing the large and ever-growing body of public and commercially available information. Procurement and hiring notices, award announcements, and research funding—among many other sources—can all provide useful insights, especially when aggregated. Local CCP apparatchiks also release plenty of easily accessible data through their reports and statements that, studied broadly, can help the United States understand the full breadth of China’s plans and whether they are being carried out.

But so far, Washington’s efforts to use more public information have come up short. Over the last five years, multiple intelligence agencies have established open-source offices, but they are underfunded and do not communicate much with one another. As a result, the insights they gather tend to be siloed and incomplete. To remedy this lack of coordination and improve analysis overall, the United States should create a standalone open-source agency with the authority to acquire, examine, and share open-source data across all parts of the intelligence community.

The Political Cybersecurity Blindfold in Latin America

Louise Marie Hurel, research fellow in cybersecurity at the Royal United Services Institute (RUSI), recounts in Lawfare blog how countries in Latin America are coping with ever-increasing cybersecurity threats but that countries in the region still consider cybersecurity a secondary threat behind the more structural security concerns of threats to democratic stability.

One of the problems is that while Latin American countries thirst for development and sustainability—which is undeniably and increasingly associated with the digitalization of its services and expansion of digital markets in the region—they are often slow to understand the importance of cybersecurity as a pillar for achieving the sustainable and resilient kind of development they seek amid more pressing agendas. This means that cybersecurity concerns are often addressed reactively—after a major incident—rather than proactively. The wave of incidents targeting the judicial system in Brazil since 2020, for example, rapidly set in motion the development of a cybersecurity committee specifically for the judiciary and policies dedicated to managing and responding to future events within that sector. Only recently—and especially during the pandemic—have political elites started to understand and grasp the transversal threat that vulnerabilities can pose to all sectors of society. Otherwise, the cybersecurity agenda can often seem detached, technical, and distant from individuals’ everyday concerns.

It also means that, given the reactive posture, governments face the risk of incorporating a skewed perspective of the threat. While notorious ransomware incidents have indeed crippled entire federal entities and local governments, many of the security issues and vulnerabilities derive not from sophisticated actors but from a basic lack of cybersecurity protocols being implemented by public and private entities.

My Twitter’s Been Hacked. But Hasn’t Everyone’s?

New York University School of Law professor Daniel Hemel recounts in Slate how, even as a relatively low-profile target on Twitter, his account was hacked to promote a cryptocurrency scam (with Twitter offering no help) and argues that all Twitter users are now soft targets for malicious actors, particularly given that Twitter has restricted two-factor authentication to only paying Blue subscribers.

Since the sale was officially consummated in October, the plutocrat who pledged to make Twitter our “digital town square” has transformed the site into a speech environment that more closely resembles Tiananmen—one where journalists have been suspended for reporting too harshly on the man in charge. But unlike the most rigidly controlled authoritarian regimes, the site is a source of near-constant chaos. It turns out that Web 2.0 platforms still require warm bodies to make them run smoothly, and Musk has been unable or unwilling to retain human beings who can respond appropriately and with alacrity when an account is hacked.

Now, it doesn’t much matter to the world when a tax professor’s Twitter handle is requisitioned by cryptobots. The more worrisome possibility is that a truly important account—for example, one belonging to the Federal Aviation Administration or the BBC or some country’s foreign ministry—will be commandeered for a prolonged period by bad actors who spread misinformation more malicious than a “$STONKS” scam. (Musk has further exacerbated the problem by removing Twitter’s characteristic blue checkmarks from verified accounts unless the account owner antes up $8 a month—making the site an even less trustworthy information environment.) Hopefully in the case of a more dangerous instance of impersonation, the rump staff at Twitter Support will be more helpful than it was to me. Then again, this is a company that currently auto-replies to all press inquiries with a poop emoji. I asked Twitter to comment on my tale of woe, and the response—as expected—was a picture of feces.