This article is published as a part of a study "Responding to Cognitive Security Challenges". Full report is also available online: www.stratcomcoe.org

Introduction

The last few years have provided an abundance of examples of how malicious actors can exploit user data to the detriment of social media users, armed forces, and society. This study explores what kind of user data is available in the digital environment and demonstrates how a malicious actor can exploit this data in the context of a military exercise. The results of an experiment conducted by a NATO StratCom COE research team suggest that in the current digital arena an adversary would be able to collect enough personal data on soldiers to create targeted messages with precision, successfully influencing their chosen target audience to carry out desired behaviours. 

Conclusions

In an essay entitled Preparing for Elections, Facebook CEO Mark Zuckerberg stated that his focus for 2018 is to defend elections against interference, protect the community from abuse, and make sure individuals have more control of their information.30 These are all important and complex steps that must to be taken by all responsible and serious actors. After years of social media manipulation by malicious actors, we finally have movement in the right direction.

However, states and its citizens need more than verbal assurances that our vital assets will be protected. We must probe, test, and continuously evaluate how data exploitation by malicious actors can threaten allied goals and interests. We need to build not only an infrastructure that protects us, but also improve the training and exercises that test our ability to detect and counter influence activities. 

Our experiment showed that, at the current level of information security, an adversary is able to collect a significant amount of personal data on soldiers participating in a military exercise, and that this data can be used to target messages with precision, successfully influencing members of the target audience to carry out desired behaviours. 

However, although we managed to collect data and induce behaviour detrimental to the conduct of military operations, we also faced a number of difficulties indicating that social media companies are increasing their efforts to prevent abuse of their platforms. Facebook in particular provided significant pushback, and several of our fake accounts and pages were suspended during the course of the experiment. The fact that social media abuse has been much debated as a phenomenon during the last year has increased public and institutional awareness of the risks and challenges. The effect of this heightened sensitivity was that several of our fake profiles and pages were reported by the armed forces we targeted, and on one occasion a warning for the fake page we had created was circulated. 

Even so, despite heightened sensitivity and active users reporting suspicious behaviour, we were successful on a number of occasions, proving that misuse of social media platforms for targeting purposes is still quite possible. Our experiment showed that much remains to be done to improve security, both by the social media companies and by the armed forces. Some of the flaws that enabled us to manipulate social media and social media users are human flaws that can only be addressed through better training and stricter control. But other flaws, such as the lack of transparency, opportunities for microtargeting, and misuse of anonymity, are vulnerabilities built into the social media platforms themselves; this highlights the continuing need to improve these platforms. Two immediate changes that the social media platforms should consider in order to reduce vulnerabilities are: 

  • Stricter control of the ‘suggested friends’ feature — a friend should not be suggested unless the user has accepted the friend request. As it stands now, this feature made it extremely easy for us to map out entire units and battalions by identifying only a single member of a unit. 
  • Preventing search features to showing hidden data — searches should not be allowed to show results that have intentionally been hidden from the public profile by the users. 

Our final conclusion is an old conclusion that bears repeating. The armed forces must step up monitoring and countermeasures to reduce the risk of social media being used to gather mission-sensitive information. This is, and will continue to be, a significant challenge in the years to come.