This is part 2 of Lance James' two-part series on psyber intelligence. In his first article, "Understanding the Human at the End of the Keyboard," he breaks down the benefits of leveraging human intelligence and the cyber domain.
You're not who you think you are;
you're not who others think you are;
you're who you think others think you are!
The field of cybersecurity encompasses psychology in numerous ways, most often as a counter to phishing campaigns, ransomware and online extortion. All of these offensive tactics aim to cultivate and exploit psychological triggers in their targets, such as panic, fear, uncertainty, and pressure. In many cases, these triggers can induce a reflexive response that benefits the threat actor, thereby enabling them to, for example, steal your credentials or force you to pay a ransom to decrypt your data. This is why so many deterrent-oriented cybersecurity strategies employ psychological and perception-management concepts.
While there are numerous headlines in the media about strategic psychological influence campaigns, there tends to be a general lack of understanding of the applied techniques. Given today’s content-driven society, it benefits cybersecurity and threat intelligence practitioners to enhance their understanding of the psychological strategies and exploitation techniques within the intelligence and counterintelligence tradecraft.
Strategic communications is a term commonly used in the intelligence community and refer to coordinated actions, messages, images, and other forms of signaling or engagement intended to inform, influence, or persuade audiences in support of an objective. This term typically falls under the military divisions in psychological operations and involves a discipline called perception management.
Due to the speed and viral nature of digital communication platforms, forums and social networks have become a playground for perception management. Tactics such as disinformation campaigns, passive interrogations, interviews and establishing covert identities all employ perception management techniques.
There are nine strategies for perception management. These include:
Applying these perception management strategies to the online world is quite common and usually innate among users on the Internet. Simply put, the online world primarily supports designed identities and the perception management of such identities. The distinct advantage in cyberspace is the fact that as you create a new identity, the online environment lends itself to initial pseudo-anonymity that allows an individual or group to develop their perception strategically when desired.
For example, an individual whose real-life or offline persona intentionally differs from the persona they portray online is typically known as a sockpuppet. Sockpuppets are known to use deception techniques to troll, influence, confuse, modify or disrupt an event, opinion, or reputational image via avenues such as online voting, reviews, promotions, comments, and community status and opinions.
The psychology of trust in online communities is typically rooted in social controls. Since it is difficult to see or truly get to know a person based solely on their online persona, members of online communities tend to earn their credibility through crowd-sourced reputation or rating systems. In these cases, trust is based on the individual actions conducted between community members. If a member's actions enable others to perceive them as trustworthy, their reputation or rating goes up. The opposite is also true. This type of system is a form of perception management because it shapes and dictates members' behaviors and actions based on an established set of community rules.
The star-based rating systems often found in everything from consumer product and business reviews to online forums aren’t arbitrarily using stars. Stars represent reward and incentive—a concept that has been ingrained in many of us since we were in elementary school. The familiarity of symbolic stars has even been known to trigger a neuro-association that induces an initial reflex in many people.
“If you get a good grade, we will put a star next to your name! Great Job!”
-- My elementary school teachers
“Don’t forget to give me a 5-star rating if you think I did well!!”
-- My online ride service driver yesterday
If the above statements feel familiar to you, then you can easily relate to the natural reflexes stars induce. By signaling feelings of accomplishment and achievement, stars can increase dopamine levels in the brain.
Indeed, B. F. Skinner’s work on operant conditioning in the mid-20th century demonstrates why reputation systems are so powerful in modifying online social behavior. Operant conditioning is the process of changing behavior using reinforcements given after the desired response. He identified the following three types of behavioral responses or operants:
Reputation systems work by incentivizing the gamification techniques that drive community participation and foster honesty, integrity, and civility among members. In other words, these systems are rooted in online operant conditioning: a community’s perception of each member is managed and disseminated through their online rating score.
The dark side of these systems stems from the fact that they are community-based social manipulators designed to induce reflexive response conditioning, also known as stressors, among participants. Hacking such a system could cause a community breakdown very rapidly.
A common mission in military intelligence and counterintelligence psyops strategy is to interfere with an adversary’s decision-making process. Similar to using electronic jamming systems in warfare, reflexive control (RC) theory is essentially a cognitive jamming system that typically leverages disinformation and deception campaigns. Reflexive control is defined as a means of conveying specially prepared information to a partner or an opponent to incline them to make the predetermined decision desired by the initiator of the action.
RC theory is similar to perception management. However, rather than focusing on managing or influencing the information to be received by the target, RC theory aims to control the target’s decision-making process. Although typically human, the target can also be a machine’s decision-based process.
The intelligence lifecycle and process is designed to augment decision-making based on the analysis of information collected and then disseminated. RC techniques focus on interfering with this process, specifically in how and what information is disseminated to the target’s decision-makers in an attempt to manipulate the psychological algorithms on which they rely to make decisions. RC elements that are commonly deployed to interfere with the decision-making process include:
Another challenge in the online world is that the target of an RC element does not have to be an individual; it can also be a community or larger population. For example, in 2013 a Syrian hacker group gained access to the Associated Press’s Twitter account and tweeted disinformation to the company’s two million followers about explosions in the White House that injured Barack Obama. The act caused a widespread fear-based reflex of short-term panic. In response, the Dow Jones dropped by 150 points and lost roughly $136 billion in equity market value during a span of three minutes. This seemingly juvenile prank caused a kinetic reflex that demonstrated the substantial damages that can occur when a critical decision-making process is manipulated en masse.
One of the most exploitable flaws in the decision-making process is the presence of perceptual and cognitive biases. Simply put, we are humans with preconceived beliefs, assumptions and perceptions that can affect and, in some cases, corrupt the decision-making process. To combat these types of biases, it’s important to employ a structured decision-analysis process that challenges judgements, identifies fixed views of mental mindsets, manages unknowns and uncertainties, and stimulates creativity.
The original concept of SACH, originally named ACH invented by Richard Heuer, is a methodology for evaluating multiple competing hypotheses while removing biases from the decision-making process. A real-world example use case where SACH methodology could apply is in online attribution cases - especially those where competing theories will suggest different attribution hypotheses, such as claims of North Korea's versus Russia's involvement in a high-profile breach. Among the inevitable investigation chaos, public outcry, and media pressure, it is easy to make decisions that are flawed. This methodology is an auditable framework that enables transparency in the decision-making process. By systematically exploring all the components of the scientific method within a matrix and allowing one to verify and analyze how any given conclusions were made, SACH helps to remove bias.
Hypothesis and argument mapping extend the SACH model by creating a hierarchical view of the decision-making and hypotheses investigation processes. Tim Van Gelder is a pioneer in argument mapping, which is a visual representation of the structure of an argument. Hypothesis mapping visualizes the thinking process when investigating the hypotheses.
One of the most effective forensic problem-solving methodologies is conducting a RCA to examine cause and effect. For instance, if a problematic decision was made, identifying the root cause can enable us to determine how and why the decision was made in the first place. By helping us identify the breakdown in the chain and recommending future procedures, the outcome of a RCA will provide guidance on preventing a repeat of the problematic decision. The basics of the RCA process are:
RCAs are an invaluable examination and feedback tool for quickly mitigating potential systemic flaws in our decision-making process or algorithms.
The Future of Psyber
We live in an age where high-speed content is widely available, online communications are the norm, and cyber attacks are ubiquitous. As such, master’s degree programs in cybersecurity may want to consider expanding their curriculums to include classes on social and behavioral psychology. The next generation of practical cybersecurity defense and cyber risk management will need to combine the disciplines of intelligence, counterintelligence, information security, data science, and psychology. Otherwise, tactics such as ransomware someday might not be about the money, but instead about forcing victims to do something else.
Lance will teach a two-day workhop on how to turn threat intelligence into a defensive component within your overall security program at InfoSec World 2018 in Orlando, Florida. Check out the details on our event website.