15 March 2019

An American National Information Security Strategy

By: Kevin Truitte

In today’s Digital Age, information is a potent weapon. American adversaries such as Russia and China understand the power of information and seek to manipulate it to their advantage. From injecting or magnifying divisive messages in social media to penetrating government networks to steal employee information, they understand the information domain as a contested battlespace, an arena to influence and undermine U.S. social cohesion at home and soft power influence abroad.[i] In the face of today’s foreign information warfare activities, the United States needs a whole-of-government information security strategy to more effectively secure the American information environment—the physical infrastructure, networks through which information flows, and humans who transmit and respond to messages.[ii] This strategy should expand the understanding of information security while firmly adhering to the freedoms central to American values.


During the 2016 presidential election, the scope of Russia’s information warfare caught the country—from senior administration officials down to the average American—off guard.[iii] The Russian Internet Research Agency (IRA) generated mass disinformation campaigns through social media platforms such as Facebook and Twitter aimed at poisoning the information environment and reinforcing political and social divisions in the American population.[iv] Meanwhile, Russia’s military intelligence agency, the Main Intelligence Directorate of the General Staff (GRU), penetrated servers of the Democratic Party and stole emails and documents, later doctoring and releasing them through Wikileaks to further sow division and disinformation in the elections.[v]

Nor is Russia alone in exploiting the U.S. information environment. China actively conducts cyber espionage—compromising the confidentiality of American businesses and government systems and stealing sensitive data—and covertly influences American institutions and public debate through opaque monetary incentives and lobbying efforts.[vi]

The fiasco surrounding Russian influence in the 2016 elections combined with China’s long-term influence efforts reveals a critical U.S. security vulnerability. Unlike authoritarian states, the U.S. Constitution provides bedrock legal protection for freedom of expression. While China and Russia muzzle dissent, the U.S. government by law cannot punish people for their opinions and beliefs. Long a strength of American society, recent information warfare efforts directed at the United States have exploited these freedoms to manipulate people through obfuscated propaganda efforts on social media, compromising the integrity of the American information environment.[vii] This is easier because the internet blurs national borders. Information can transit instantaneously from a Russian propaganda office in Moscow to the computer screen of a farmer in Iowa or a steelworker in Michigan.[viii]

The national security bureaucracy has struggled to adapt to this new reality. The U.S. government neither shares definitions of concepts such as information warfare across the whole-of-government, nor does it coordinate informational efforts well across departments and agencies.[ix] While the recent establishment of the externally-facing Global Engagement Center (GEC) at the State Department and a countering foreign influence taskforce at the Department of Homeland Security (DHS) represent steps to address this deficiency, these offices are stymied by lack of resources and limited strategic-level coordination.[x] Moreover, while the U.S. government recently published a National Cyber Strategy to address these issues,[xi] it does not have a broader information strategy to address foreign efforts to manipulate America’s open information environment.

To remedy this, the United States should establish a national information security strategy. Under direction of the National Security Council and supported by legislation from Congress, the strategy would coordinate offensive and defensive information efforts across the executive branch. The strategy should label the information architecture of social media and public online communications as critical infrastructure. In doing so, the government can grant additional authorities to establish coordination mechanisms with social media companies such as Facebook and Twitter, tech and web hosting giants like Google and Amazon, and other relevant organizations. Currently, the government—led by DHS—works ad hoc with these companies on threats such as potential disinformation efforts during the 2018 elections. Institutionalizing these relationships through an Information Sharing and Analysis Center (ISAC) and public-private partnerships ensures that companies’ interests are respected, the government bolsters its countering disinformation goals, and private citizens’ rights are secured.[xii] These centers and partnerships will facilitate greater cooperation in the information space and faster information sharing to improve disruption of foreign disinformation operations.[xiii]

An information security strategy would also include offensive cyber activities to deter and disrupt disinformation efforts, consistent with new U.S. policies under the National Cyber Strategy that enables Cyber Command to “take the fight to the enemy.”[xiv] In a recent example, Cyber Command hacked the IRA the day of the 2018 midterm election, disrupting internet access and spooking IRA employees in Saint Petersburg.[xv] Offensive disruption of an adversary’s ability to conduct information operations against the U.S. information environment reinforces information security defenses through deterrence.

Lastly, the strategy should commit the government to medium- and long-term efforts to strengthen fact checking, critical thinking, and media literacy within the American population. Paid for in part through Department of Education grants, this initiative will in cooperation with media outreach, education-focused nongovernmental organizations, local and state governments, public and private educators, and tech companies. These efforts should increase Americans’ longer-term resistance to foreign-backed disinformation through workshops and curricula designed to help students think critically about news and ad campaigns raising awareness of the prevalence of foreign disinformation.

Ultimately, the United States needs to strengthen the defenses of its information domain in the face of adversaries that factor it heavily in their counter-U.S. strategies. To do this, the government must enact a strategy to improve coordination of strategic direction within the bureaucracy, cooperation with the private sector to disrupt and reduce the effectiveness of disinformation, offensive deterrent and disruption capabilities to further deter foreign adversaries, and a longer-term education-focused campaign to strengthen the American people’s resilience against foreign-backed disinformation. While this strategy will not completely protect against all foreign disinformation efforts, it will weaken their scale, reach, and effectiveness and thus reduce America’s vulnerability to 21st century information warfare.

[i] Kimberly Underwood, “A New Front in Information Warfare,” AFCEA Signal, May 1, 2018, https://www.afcea.org/content/new-front-information-warfare-0.

[ii] Congressional Research Service, Information Warfare: Issues for Congress, March 5, 2018, Catherine A. Theohary, https://fas.org/sgp/crs/natsec/R45142.pdf

[iii] Joeseph Menn, “U.S. government loses to Russia’s disinformation campaign: advisers,” Reuters, October 20, 2016, https://www.reuters.com/article/us-usa-russia-disinformation-analysis-idUSKBN1492PA

[iv] United States of America v. Internet Research Agency LLC, 18 U.S.C. §§ 2, 371, 1349, 1028A, (2018), https://www.justice.gov/file/1035477/download.

[v] United States v. Viktor Borisovich Netyksho et al, 18 U.S.C. §§ 2, 371, 1030, 1028A, 1956, and 3551 et seq., (2018), https://www.justice.gov/file/1080281/download.

[vi] Larry Diamond et. al., Chinese Influence & American Interests: Promoting Constructive Vigilance, Report of the Working Group on Chinese Influence Activities in the United States, (Hoover Institution Press, Stanford, 2018), https://www.hoover.org/sites/default/files/research/docs/chineseinfluence_americaninterests_fullreport_web.pdf

[vii] Paula Chertok, “Russophobia: How Russia Exploits Western Values For Its Propaganda,” StopFake.org, May 22, 2018, https://www.stopfake.org/en/russophobia-how-russia-exploits-western-values-for-its-propaganda/

[viii] “Keep the Internet Free of Borders,” The New York Times, Agust 10, 2015, https://www.nytimes.com/2015/08/10/opinion/keep-the-internet-free-of-borders.html

[ix] Congressional Research Service, Information Warfare: Issues for Congress.

[x] Congressional Research Service, Information Warfare: Issues for Congress ; Erin Banco and Betsy Woodruff, “Trump’s DHS Guts Task Forces Protecting Elections From Foreign Meddling,” The Daily Beast, February 13, 2019, https://www.thedailybeast.com/trumps-dhs-guts-task-forces-protecting-elections-from-foreign-meddling

[xi] Office of the President of the United States, National Cyber Strategy of the United States of America, September 2018, https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf.

[xii] Chris Meserole and Alina Plyakova, “Disinformation Wars,” Foreign Policy, May 25, 2018, https://foreignpolicy.com/2018/05/25/disinformation-wars/.

[xiii] Gabe Cederberg et al, National Counter-Information Operations Strategy, Defending Digital Democracy, Harvard Kennedy School Belfer Center for Science and International Affairs, February 2019, https://www.belfercenter.org/sites/default/files/files/publication/CounterIO.pdf.

[xiv] Dan Lohrmann, “New National Cyber Strategy Message: Deterrence Through U.S. Strength,” Government Technology, September 29, 2018, www.govtech.com/blogs/lohrmann-on-cybersecurity/new-national-cyber-strategy-message-deterrence-through-us-strength.html.

[xv] Ellen Nakashima, “U.S. Cyber Command operation disrupted Internet access of Russian troll factory on day of 2018 midterms,” The Washington Post, February 27, 2019, https://www.washingtonpost.com/world/national-security/us-cyber-command-operation-disrupted-internet-access-of-russian-troll-factory-on-day-of-2018-midterms/2019/02/26/1827fc9e-36d6-11e9-af5b-b51b7ff322e9_story.html

No comments: