The Cybersecurity and Infrastructure Security Agency’s (CISA) continues to model an operational structure with an effective public/private partnership component that yields actionable results. From the new level of detail and sophistication of the technical information, mitigation recommendations, and general resources included in recent CISA and joint Cybersecurity Advisories (CSA) [generated by the Joint Cyber Defense Collaborative (JCDC)] – or the broad success of the messaging, information distribution, and community-building function of the CISA Shields Up! Initiative, there are communications strategy lessons to be learned from CISA by even the best corporate board of directors and corporate communications department.
The latest success is the evolution of the CISA Cybersecurity Advisory Committee (CSAC which meets quarterly) and its subcommittees, specifically the time-sensitive work of the Protecting Critical Infrastructure from Misinformation and Disinformation (MDM) Subcommittee.
Following is the anatomy of a CSAC subcommittee, including the mission statement formulated in December 2021, followed by the subcommittee’s quarterly updates, reports, and recommendations. The case study concludes with the recently released public service announcement from the FBI and CISA – which demonstrates the value and impact of the work of the subcommittee since December 2021.
December 2021 – A Call to Action from CISA’s Jen Easterly and Def Con’s Jeff Moss at Inaugural CISA Advisory Committee Meeting: The main output of the meeting, according to CISA, was the establishment of “subcommittees that will focus on key objectives and provide tangible deliverables ahead of the next committee meeting.” The mission statement of the Protecting Critical Infrastructure from Mis- Dis- and Mal-information Subcommittee was as follows:
“The core of CISA’s mission is to safeguard America’s critical infrastructure. Unfortunately, the nation has seen the corrosive effects of mis-, dis-, and mal-information (MDM) across a host of critical infrastructures in recent years impacting our election systems, telecommunications infrastructure, and our public health infrastructure. This subcommittee will evaluate and provide recommendations on CISA’s role in this space and ensure that the agency is providing value that fits within its unique capabilities and mission.”
QUARTERLY SUBCOMMITTEE UPDATES
April 2022 – Takeaways from the Second Meeting of the CISA Cybersecurity Advisory Committee: Subcommittee chairs provided updates on the progress being made on key objectives outlined during the Committee’s inaugural meeting:
Protecting Critical Infrastructure from Mis- Dis- and Mal-information (MDM) Subcommittee – Dr. Kate Starbird, Associate Professor, Human-Centered Design & Engineering, University of Washington: The subcommittee is evaluating and providing recommendations on CISA’s role in confronting MDM harmful to critical infrastructure, in particular election infrastructure. The subcommittee chair discussed strategies to combat MDM, including relevant data sets and messaging strategies.
“The Committee has truly hit the ground running in scoping key areas of focus to help support our evolution as the nation’s cyber defense agency. I look forward to our next meeting in June where we’ll begin to get a sense of key deliverables,” said CISA Director Jen Easterly.
July 2022 – Takeaways from the Third Meeting of the CISA Cybersecurity Advisory Committee: After opening remarks, there was a public comment period, followed by Subcommittee Updates/Deliberation and Vote:
Protecting Critical Infrastructure from Mis- Dis- and Mal-information (MDM) Subcommittee – Dr. Kate Starbird, Associate Professor, Human-Centered Design & Engineering, University of Washington: The subcommittee is evaluating and providing recommendations on CISA’s role in confronting MDM harmful to critical infrastructure, in particular election infrastructure. During [the] meeting the subcommittee chair recommended that CISA focus on addressing MDM risks that undermine critical functions of American society. As part of this work, the subcommittee recommends that CISA should invest in external research to assess the impact of MDM threats and the efficacy of its MDM mitigation efforts.
CSAC New Topic: Assessment of the Feasibility and Key Characteristics of a National Alert System for Cyber Risk: “Director Easterly was also pleased to assign the Committee a new topic for their advice, specifically that they assess the feasibility and key characteristics of a national alert system for cyber risk. The goal of this capability would be to provide a clear and simple method to convey the current severity of national cybersecurity risk to America’s critical infrastructure owners and operators taking advantage of the unique insights from CISA’s analysis of evolving threat activity and our global partners. This system would complement CISA’s existing production of alerts and advisories on specific, actionable risks. Director Easterly looks forward to the Committee’s evaluation of the operational efficacy of a national cyber alert capability.” (1)
September 2022 – CSAC September Quarterly Meeting Member Meeting Agenda (cisa.gov): The quarterly meeting summary is not posted yet. We will provide research and analysis when it becomes available.
2022 REPORTS AND RECOMMENDATIONS
CISA’s mission is to strengthen the security and resilience of the nation’s critical functions. The spread of false and misleading information can have a significant impact on CISA’s ability to perform that mission.
CISA should take a similar risk management approach to these risks that it takes to cybersecurity risks. Borrowing from a growing body of research, we define misinformation as information that is false, but not necessarily intentionally so; disinformation as false or misleading information that is purposefully seeded and/or spread for a strategic objective; and malinformation as information that may be based on fact, but used out of context to mislead, harm, or manipulate.
The spread of false and misleading information poses a significant risk to critical functions like elections, public health, financial services, and emergency response. Foreign adversaries intentionally exploit information in these domains (e.g., through the production and spread of dis- and malinformation) for both short-term and long-term geopolitical objectives.
Pervasive MDM diminishes trust in information, in government, and in the democratic process more generally. The initial recommendations outlined below focus on mis- and disinformation (MD) about election procedures and results. Future recommendations may seek to address the potential impacts on other critical functions and some of the unique challenges in identifying and countering malformation.
The First Amendment of the Constitution limits the government’s ability to abridge or interfere with the free speech rights of American citizens. The First Amendment and freedom of speech are critical underpinnings of our society and democracy. These recommendations are specifically designed to protect critical functions from the risks of MDM, while being sensitive to and appreciating the government’s limited role with respect to the regulation or restriction of speech.
CISA is uniquely situated to help build awareness of MDM risks and provide a robust set of best practices related to transparency and communication when addressing mis- and disinformation, specifically in the election context.
“Responding to misinformation is my day job. My night job is running elections.”
— Stephen Richer (Recorder, Maricopa County AZ)
In addition to researching the issue of MDM more broadly, our committee gathered input from election officials, many of whom are acutely struggling to address mis- and disinformation. Election officials, especially those in small jurisdictions, often lack the training and resources to identify and address the spread of false claims, which is becoming an increasingly demanding aspect of their jobs. Meanwhile, mis- and disinformation are undermining trust in their work and leading to personal harassment and even physical threats.
September 2022 – REPORT TO THE CISA DIRECTOR: Protecting Critical Infrastructure from Mis- Dis- and Mal-information (MDM) Subcommittee – Information Sharing Around Foreign Adversary Threats to Elections:
The Protecting Critical Infrastructure from Misinformation and Disinformation (MDM) Subcommittee submitted its first set of recommendations in June 2022. The recommendations outlined below aim to emphasize and add further detail to key points and provide additional items for consideration.
- Share information with state and local election officials. CISA should work with the Intelligence Community (IC), including the Federal Bureau of Investigation, to ensure that the information needs of election officials around foreign disinformation threats are prioritized. To identify the intelligence requirements of local and state election officials, CISA should work with the Elections Infrastructure Government Coordinating Council (GCC). In particular, the CSAC believes that providing information and assistance to the many local elections officials across the country is critical, not just secretaries of state or election officials at the state level.
- Protect the courts. Given the essential role courts play in ensuring the resolution of disputes about the election process and ensuring the peaceful transfer of power, they, too, may be the target of an intensified campaign to undermine public trust in the legitimacy of their processes. CISA should consider the following two recommendations that:
- Relevant information around foreign hacking and disinformation attacks is shared with the courts; and
- The IC includes adversary activity targeting the courts in the collection and analysis of priorities related
- At the highest level, CISA should share up-to-date “best practices” around how to proactively address and counter MDM based on the most recent research. To help election officials craft their messaging, CISA should provide templates and customizable content that local and state election officials can adapt to their specific needs. A particular need for many local and state election officials is around establishing a website.
- CISA must ensure that there is a national effort to bring insights together on an ongoing basis, and to share tools, training, and templates. Elections are ultimately local and must be managed locally. That said, some of these disinformation campaigns are likely to use similar tactics, techniques, and messaging aimed at multiple jurisdictions.
- CISA’s role in this whole-of-nation effort to counter adversary information operations around upcoming elections should be consistent with this Subcommittee’s earlier recommendations, with a focus on furthering CISA’s existing mission. Within the federal government, the intelligence community is likely to have the best insights on foreign adversary activity. CISA’s role should be to ensure that those insights are promptly provided to state and local election officials. CISA should also consider unique aspects of foreign information operations when developing tools, templates, and training for those officials.
ELECTION INFRASTRUCTURE PUBLIC SERVICE ANNOUNCEMENT
The Federal Bureau of Investigation (FBI) and CISA have published a joint public service announcement that:
- Assesses malicious cyber activity aiming to compromise election infrastructure is unlikely to result in large-scale disruptions or prevent voting.
- Confirms “the FBI and CISA have no reporting to suggest cyber activity has ever prevented a registered voter from casting a ballot, compromised the integrity of any ballots cast, or affected the accuracy of voter registration information.”
The PSA also describes the extensive safeguards in place to protect election infrastructure and includes recommendations for protecting against election-related cyber threats.
- For information about registering to vote, polling locations, voting by mail, the provisional ballot process, and final election results, rely on state and local government election officials.
- Remain alert to election-related schemes which may attempt to impede election administration.
- Be wary of emails or phone calls from unfamiliar email addresses or phone numbers that make suspicious claims about the elections process or of social media posts that appear to spread inconsistent information about election-related incidents or results.
- Do not communicate with unsolicited email senders, open attachments from unknown individuals, or provide personal information via email without confirming the requester’s identity. Be aware that many emails requesting your personal information often appear to be legitimate.
- Verify through multiple, reliable sources any reports about compromises of voter information or voting systems, and consider searching for other reliable sources before sharing such information via social media or other avenues.
- Be cautious with websites not affiliated with local or state government that solicit voting information, like voter registration information. Websites that end in “.gov” or websites you know are affiliated with your state or local election office are usually trustworthy. Be sure to know what your state and local elections office websites are in advance to avoid inadvertently providing your information to nefarious websites or actors.
- Report potential crimes—such as cyber targeting of voting systems—to your local FBI Field Office.
- Report cyber-related incidents on election infrastructure to your local election officials and CISA (Central@CISA.gov).
The current role and future of CISA, misinformation and cognitive infrastructure research and policy will all be discussed at OODAcon 2022 – The Future of Exponential Innovation & Disruption in the context of the following panes:
- Disruptive Futures: Digital Self-Sovereignty, Blockchain, and AI
- Future Wars: Beyond Cyberconflict
- Tomorrowland: A Global Threat Brief
- Twenty Years of Cyber Threat Intelligence: and
- A Keynote Conversation with Congressman Will Hurd
OODAcon is about understanding the future and developing the resiliency to thrive and survive in an age of exponential disruption.
Society, technology, and institutions are confronting unprecedented change. The rapid acceleration of innovation, disruptive technologies and infrastructures, and new modes of network-enabled conflict require leaders to not only think outside the box but to think without the box.
The OODAcon conference series brings together the hackers, thinkers, strategists, disruptors, leaders, technologists, and creators with one foot in the future to discuss the most pressing issues of the day and provide insight into the ways technology is evolving. OODAcon is not just about understanding the future but developing the resiliency to thrive and survive in an age of disruption.
OODAcon is the next-generation event for understanding the next generation of risks and opportunities.
OODA Network Members receive a 50% discount on ticket prices. For more on network benefits and to sign up see: Join OODA Loop
Please register to attend today and be a part of the conversation.