The importance of cyber-security is growing. With the continued digitization of our everyday life we become increasingly vulnerable to cyber-attacks – also personally. Therefore, it is an issue to be taken extremely seriously.

By Thomas Elkjer Nissen, Military Analyst, Royal Danish Defence College

If you think that cyber-security is only a matter of firewalls and ones and zeros, you should consider what your social media profiles are saying about you and how it can be exploited – if somebody wanted to ..! But let´s start somewhere else. With the bigger picture of contemporary security concerns. One of them being so-called Hybrid Warfare.

Hybrid warfare contained everything from economic sanctions over cyber-attacks to subversive intelligence activities. In addition an extensive propaganda efforts. Part of this kind of ‘warfare’ involve cyber-activities and thus also cyber-security. Also in Europe, to include Italy. But when you look at much of the debate on cyber-security today, it primarily deals the protection of so-called ‘critical infrastructure’ and the technical solutions that goes with that. It leaves much of the responsibility for the actual security measures to public institutions, private companies, their employees and citizens in general. Especially when it comes to one of the softer sides of cyber-security – social media.

While talking about the protection of critical communication infrastructure in the political debate today and the threat of state-sponsored hackers and cyber-espionage against private companies and the public, there’s a lot of these activities we miss having focus on – the fact that a lot of it is facilitated in and through social media. They’re just not particularly discussed in a security context. But social media do have a particular cyber-security angle to them as well. Activities, include things that are part of hybrid warfare, entail intelligence gathering against public and private interests, including Italian, but also activities that have to do criminality. The challenging part is that it is very difficult to divide these activities, as they often carried out by the same actors, and with the same techniques, just at different times and at different targets. Criminal networks might be working for them self’s, for other criminal interests, for non-state actors and for state actors.

The techniques include both criminal and intelligence organizations’ use of ‘social engineering’ (or targeted manipulation) in their scams tricks and industrial espionage. Primarily through utilizing what they can openly find on people’s private social media profiles (open source) – trust me, people do give up a lot of information on their social media profiles that can be exploited. But it also includes the use of algorithms to cheat people on dating sites, the clever use of the cross-media communication techniques that social media offers to influence the public debate and the political discourse. The consequence may be the emergence of a ‘shit storm’ (heavy critique that goes viral) on social media, that individuals, companies or politicians inadvertently gets mixed up in, just for participating in the debate. But it can also be orchestrated in order to influence the perception of a given situation and the attitude and behavior of people. Just look at the phenomenon of ‘internet trolls’ which has been widely discussed in connection with Russia and hybrid warfare, not to talk about propaganda, mobilization, radicalization and recruitment by terrorist-organizations like Daesh.

Many of these issues are to a certain extent known. The mainstream media has regularly reported upon it, but most often in the context of a criminal matters, or in the context of how politicians communicate today via social media. But behind these simple stories lies a pattern of extensive use of social media for everything from intelligence gathering, targeting of individuals, groups and organizations (public and private), propaganda and misinformation to actual cyber-attacks on other social media profiles belonging to ‘opponents’. All to gain access to networks and information through manipulating people, via social engineering, to do things which are contrary to their interests, often via their social media profiles. This allows actors whether they are governmental, non-governmental, or just individual criminals to circumvent the technical cyber-security as we speak so much about in the current debate, and still achieve their purpose. Cyber-security has a soft side – social media – which continues to be undervalued.

Sound daunting? It might do it! But it is also part of the ‘social’ media reality we all live in every day. A reality where deception, espionage and propaganda can reach us through our smartphone or other mobile devices and where our otherwise ‘social’ cyber presence is exploited to commit, among other things, crimes. It is also a reality that should force us to think a little bit more critical about what we do on social media, which attachments we chose to open in e-mails and SMS texts and which links we follow. But also who we allow to become a part of our network;  your network, whoever security aware you might be, is not stronger than the people you let into it. It may all seem somewhat low practical and social media may seem banal and harmless, but it is in the detail you find the devil.

Social media as an element of cyber-security, and a distinct sub-set to cyber-warfare, should therefore play a greater role in society, companies and ordinary citizens thinking about cyber-security, and should therefore also be more prominent in the public and political debate on the subject.

Thomas Elkjer Nissen

Copenhagen, May 2016.