“This is now the new normal”: An expert explains why cybersecurity risks aren’t going away

There are threats not just from Russia and Iran, but from other countries and lone wolves, heading into the 2018 midterms.

The crazy Trump-centric news cycle has become the new normal in the United States. So has the scenario of constant cybersecurity risks where it seems like there’s a new worrisome development every week, if not daily.

Just last week, Microsoft said it found more evidence of Russian government hacking efforts, including of conservative United States think tanks. Facebook, Twitter, and Google all announced that they took down accounts determined to be part of an Iranian influence campaign.

With the 2018 midterm elections fast approaching, National Security Adviser John Bolton warned last weekend that he anticipated threats from China and North Korea on top of Russia and Iran. And the problem is hardly contained to the United States: The activities Facebook identified last week out of Iran and Russia were also aimed at the UK, Latin America, and the Middle East.

“This is now the new normal,” Theresa Payton, CEO of security firm Fortalice Solutions and former White House chief information officer under President George W. Bush, told me.

I reached out to Payton to discuss the current cybersecurity landscape and what the government, private companies, and, frankly, everybody online can do in the midst of this never-ending cycle of cyber Whack-a-Mole. She talked about the importance of private actors — FireEye, for example, tipped off Facebook to the Iranian campaign — and about why it matters for citizens to say something when they see something weird online.

Payton also talked about the need for a coordinated international response to disinformation campaigns — and just how difficult that might be, even when it comes to defining exactly what cyber warfare is.

“We haven’t actually defined what is considered an act of war in the cybersecurity realm,” Payton said. “We have in the physical realm — if tanks move in certain directions, if missiles are fired, if airplanes are in the wrong airspace, if ships are in the wrong shipping lanes. But we haven’t done that for the digital space.”

My full conversation with Payton, edited for length and clarity, is below.

Emily Stewart

Do we have a good picture of what’s going on in terms of cybersecurity risks and the midterm elections, or is all of this the tip of the iceberg?

Theresa Payton

We know a lot more going into the midterms, but this is potentially the tip of the iceberg, and this is now the new normal. You have not just Russia, but you’ve got other groups around the world who are targeting not just US elections but potentially UK elections. The Canadians are concerned about their elections being targeted. This is a new normal that’s been developing over the course of a couple of years.

If you look at the Freedom of the Net report, an annual study of internet freedom globally, they started sounding the alarm a few years back saying that they were observing countries where the regime in power was trying to manipulate social media to manipulate how their own constituents would think about voting for them. They were meddling within their own countries, not other countries. And it was only a matter of time before those techniques and tactics would be adopted.

If you think about what Russia has been able to pull off, and now that it’s expected that Iran is also playing the political espionage game, they’ve taken the best of what Silicon Valley has made to offer all of us — which is connecting us at light speeds, helping us see things that are of value to us, trying to help us share more information with each other very quickly, and creating some of these open, trusted, hyper-connected platforms — Russia took advantage of that. And they actually used it against us.

Here you have these platforms that are built for really altruistic purposes that are being used for this political espionage campaign.

Emily Stewart

We have seen more reports about activity out of Iran, and the government has also warned about cyber threats from countries such as China and North Korea. The public has mostly been focusing on Russia up to now, is that a mistake?

Theresa Payton

You have these different government organizations and foreign governments who want to flex their cyber muscle. And they want to be relevant on the global stage.

When international negotiations with countries like North Korea, Iran, Russia, and China potentially don’t go in the direction those countries would like them to go, they have built up a cyber arsenal that’s at the ready that they can use.

Really, that has to be discussed and put on the table really at a United Nations and NATO level where we’re discussing the ability to surveil, and trust but verify, and make sure that things are on the up and up. Cyber capabilities are a part of that. Having a determined effort to steal individual identities, or to steal business’s intellectual property to reuse or sell it, or to meddle in democratic elections, that that is not considered okay.

There really needs to be an international body calling the shots on what’s really a grey area to say, “Here’s what’s not okay, and here’s what the UN and NATO will do if a country is accused of doing these things, and here are the ramifications for that.”

People will ask me if I think we’re in a cyber war, and I say I think we’re in a cyber reality, because we haven’t actually defined what is considered an act of war in the cybersecurity realm. We have in the physical realm — if tanks move in certain directions, if missiles are fired, if airplanes are in the wrong airspace, if ships are in the wrong shipping lanes. But we haven’t done that for the digital space.

Emily Stewart

So you mention this idea for some sort of international coalition out of the UN or NATO, but who takes leadership there? Can the United States, given the Trump administration’s positioning? We’re not really playing ball in the way that we have in the past.

Theresa Payton

It could very well be that [US ambassador to the UN] Nikki Haley could lead the charge.

And as it relates to us in the United States, it’s really crucial that elected officials on both sides of the aisle not politicize this issue in the short-term. There are grave long-term consequences for national security.

We’re doing a lot of really good work. If you look at the responsibilities of the Department of Homeland Security, they have been working incredibly hard with the states at the local level to provide guidance, council, and services at no charge to the states to help them harden their defenses. We do need to make sure that it’s not just DHS but that the intelligence and the homeland security outside the DHS are truly sharing information and tools.

And at a higher level, if the US can show the world what we’re doing, then that gives Nikki Haley the ability to sit at the global table and say that we need an independent commission that is ensuring that elections are truly are free and democratic and free of political espionage and meddling in the cyber realm.

Emily Stewart

To get beyond what governments can do, what we’ve seen lately is that the private sector is actually playing an important role in all of this. Microsoft has been catching Russian actors; FireEye tipped Facebook off to the Iranian activity. How do these companies even end up in these positions in the first place?

Theresa Payton

There are multiple groups that have to come together to create a cohesive team here.

For example, you want to have executive orders coming out of the White House around election security being a priority, then you want the Hill creating legislation and making funding available for election security. Then there’s a role the private sector plays — you want the telecommunications companies and internet providers themselves, who are seeing traffic traveling from all different locations, to be involved. You have the security community, the private sector providers or products and services who are seeing trends, who are seeing problems, they’re on the frontlines of forensics, they’re seeing emerging trends and problems. And then you have the Department of Homeland Security and other three-letter agencies who need to come together and find ways to share actionable intelligence that can be used at the state and local level to make sure that state, local, and federal elections are secure.

This is truly one of those group efforts.

Silicon Valley plays a role here, too. For the work that Facebook, Twitter, Google, and Microsoft have been doing on this, I say bravo. It really isn’t part of their business model, and they’re having to take a step back and say, “How do we be good global citizens, and how do we be good US citizens, as US-headquartered companies, and how do we step up our game to alert when we see something that doesn’t make sense to us?”

This is where the evolving technologies we have around artificial intelligence and machine learning can be incredibly helpful and valuable in combatting what’s going on here with fake personas [being created on social media].

My concern is as we continue to detect these anomalies in real time and shut them down, they’re not going to stop what they’re doing, because there’s not, at this point, an international accord that holds them accountable. The tactics become more complex, more covert, and harder to detect. A lot of what we’re dealing with is hiding in plain site, it’s looking for patterns.

My concern is that out of Russia, Iran, and potentially other countries such as North Korea and China who are in different trade discussions with the US, we will find lone wolves and activist groups who will look for opportunities to take over Americans’ social media accounts. They say, “I know if it’s a new account and I have this activity, it will be obvious. So why don’t I look for accounts that have been around for a long time and have a decent amount of followers but haven’t really posted anything in a while?”

They do an account takeover and leverage seemingly normal accounts that have not had a lot of activity lately, so the user may not notice, and use them as part of a propaganda campaign. It’s harder for machine learning and AI to spot that.

We have to continue to alert not just the private sector and the US government on this, but consumers play a role here, too. Make sure that you use two-factor authentication for social media accounts, especially if you’re not active and you may not notice an account takeover. Make sure that if you see things that don’t seem right or make you uncomfortable, you report them to that corresponding platform. And understand that the new normal are these fake personas with misinformation campaigns. Step away from social media and go to trusted, vetted media sources for information and make up your own mind how you think and feel and choose to vote when you walk into that voting booth.

Emily Stewart

I was talking to someone who works for a social media company the other day, and that person mentioned concerns that companies turn into a political football — some Democrats blame Facebook, Twitter, etc. for swinging the 2016 election, and if Republicans lose the House in 2018, for example, the GOP will blame the same companies, saying they’re biased against conservatives. Is that a risk you see, too?

Theresa Payton

Again, I think all of the moves that Facebook, Twitter, Instagram, Snap, and all of the different Silicon Valley companies have made have been helpful. It’s a tricky place to be, because they want to serve all, regardless of what their personal political leanings are, and they do know they run the danger of being accused of acting otherwise. Look at the Obama campaign — they had an amazing ground campaign, but they had an even more amazing social media campaign. And there was a thought process that maybe social media was in the pockets of Democrats and the Obama administration.

What you can see is that that’s not the case — they may have their own personal policy views, but they want to be a platform that serves all and not just one particular group with one particular policy point of view. It’s important for them to show that they are party-neutral when it comes to fake personas and anything that smells like hate speech, election meddling, and anything of that nature.

Some parties run the risk of blaming social media platforms for winning or losing. What it comes down to is the media for staying on this, for asking the right questions, and informing the public. Because now the public should be more aware that when they are on social media and see some sort of topic or information trending, it could be of a disinformation campaign. That’s when it’s time to step off of social media and do your own research.

A lot of people are very busy managing their everyday lives, and social media is where they keep up with their friends and oh, by the way, they see news items. They may not have the time to step away and actually go to the original sources. It’s important for them to have that reminder as they’re making decisions on who to vote for or who not to vote for that they step away from social media and go to one or two different news sources to get the information and make the best decision.

Emily Stewart

Last question for you: looking at the landscape we’re in now, where it’s clear that social media disinformation campaigns are going to continue, where it looks like multiple countries are interfering in US politics and politics all over the world, what are the fixes? If you had a magic wand, what are, say, two things you would do?

Theresa Payton

On the international level, we should get together with our allies, even if it doesn’t fall under the UN and NATO, and put out a joint coalition statement to say there are agreements that each of these countries has reached to help each other ensure the integrity of each other’s elections and to stop misinformation campaigns. It would need to state very clearly that we’re going to share intelligence and resources, and when we see something we’re going to alert other countries to it, and we see this as a global problem, something that we’re all locking arm-in-arm to solve.

On the US-facing level, if we could create an easier way for organizations and individuals to say something [has the wrong] sense to them and to know where to report it, that would be great.

For example, if you’re at a precinct office to vote, who do you report an irregularity to? If you go to a voting website to register to vote and get everything in order and something doesn’t seem right to you, who do you report that to? It could be many of the things are being reported really need to be handled at the local level, but how do we get that macro view?

I would create a very simple way for the states to be states and have their state rights but that gives people the opportunity to say, “I’m seeing something here that doesn’t make sense, and I’d like to report it.” And then that reporting would go to a central location to see if there are trends across the United States that need to be addressed.

Everyone else already working on this — Department of Homeland Security, intelligence agencies, all the services, tools, briefings under say — has to keep at it. We’re running out of time before the midterms.

And in the states, there’s a war for talent. There’s a huge labor challenge, and they’re competing for the same talent that private sector companies are. I know the states are diligent and vigilant around this, and they’re working hard, and they’re going to need that, and we need to wish them well and wish them a lot of luck. They really have a monumental, daunting task ahead of them to make sure that everything is secure and goes flawlessly, and that every vote that’s count is counted the way it was intended to be cast.

The states have a big job ahead of them, and so does Silicon Valley in rooting out fake personas and this misinformation campaign.