One problem for our armed forces is the same as it is for the civilian world: We use devices, the devices collect data on where we are and what we do, and this makes us vulnerable to “bad actors.”
As a recent report puts it, “Malicious use of data: the usage of data exploiting vulnerabilities in order to deceive, disrupt, interfere and ultimately do harm to individuals and/or society.”
The report, published last month by researchers at NATO’s Strategic Communications Centre of Excellence, in Riga, Latvia, can be read or downloaded here. It contains a chapter titled, “The Current Digital Arena and Its Risks to Serving Military Personnel.”
Its authors say that disinformation campaigns, much in the news, are not the only threat to our society. In the wake of the Cambridge Analytica scandal, Mark Zuckerberg’s testimony to Congress, and the EU’s General Data Protection Regulation enforcement in 2018, Allied militaries should be defending themselves against “malicious ways” that might include manipulation, impersonation, doxing (releasing information about someone), and sensitive-information harvesting.
Sometime recently, NATO researchers embedded in a field exercise of Allied troops and played their role as the “enemy” by being digitally malicious. (The dates and location of the exercise, and which nation’s troops were involved, are classified.) This “red team” used “impersonation, honeypot pages, social engineering, general monitoring and befriending of accounts, people search engines and open source databases” to monitor and mess with troops, who were not told of the project.
“The level of personal information that could be found…was very detailed and enabled the research teams to craft influence activities,” researchers say. Instagram gave them the “timeliest information”; Facebook helped them identify people and map their links to other service members. (Soldiers did not use Twitter much during the exercise, for what it’s worth.)
Researchers made closed Facebook groups to lure in those in the exercise, interacted with them through fake personal pages, asked questions about their military jobs and units, and found out more about them on other social media, including exploitable information such as “a serviceman having a wife and also being on dating apps.”
A software engineer who co-designed the project told WIRED that their goals were: “What can we find out about a military exercise just from open source data? What can we find out about the participants from open source data? And, can we use all this data to influence the participants’ behaviors against their given orders?”
The answers turned out to be A lot, A lot, and Yes. (Researchers were able to induce “undesirable behavior,” such as leaving a position against orders.)
So far, there does not seem to be a military regulation that addresses these concerns. A reporter for a military periodical, who works in different theaters, told me, “Some hard asses don’t want troops taking phones into theater at all, while I think others realize it’s going to be a pain to police. In Afghanistan, at the big bases, there are phone shops run by the PX that provide local SIM cards and that also sell phones and other devices. In Iraq, I’ve had limited exposure to big bases, but there is at least one base where a local phone provider has a shop or kiosk of some sort on post that can sell phones and SIM cards, etc.”
If it makes anyone feel better, the problem is not unique to the US military or even NATO, the StratCom report points out:
During the Russian annexation and occupation of Crimea and Eastern Ukraine, Russian soldiers and civilians shared a wealth of information that made it possible to verify Russian aggression in Ukraine. The open source verification organization Bellingcat was able to determine precisely how a Buk missile launcher reached a particular field in eastern Ukraine, who organized the transport, where the missile launcher came from before it arrived in Ukraine, and even identify the (near-complete) history of a single launch unit.
Russia, for its part, advanced legislation this month that will limit their service members’ access to devices.
“Information posted by servicemen on the internet or in the media is used for information and psychological attack, and also in some cases to form a biased assessments of state policy of the Russian Federation,” their Ministry of Defence wrote last year.
Reports from 2017 said earlier attempts by both NATO and Russian troops to prevent foreign influence by digital means included wrapping their devices in condoms, or jumping in a lake.