Srsly Risky Biz: American Diplomats to Fight Propaganda… on X

Written by

Tom Uren

Policy & Intelligence

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Amberleigh Jack. This week's edition is sponsored by Airlock Digital.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

US Secretary of State Marco Rubio has called for the State Department to push back against foreign state-backed propaganda and disinformation. Unfortunately for Rubio, he also dismantled the State Department's counter-propaganda office last year. It won't be recreated easily.

When it shut down its counter-propaganda office, the US government essentially left the detection of coordinated disinformation campaigns to private companies, at least some of which either don't care or are actively taking extreme positions: X is now a cesspool of disinformation. 

Last week, though, Rubio sent a memo to global US diplomatic posts directing them to launch their own campaigns combatting foreign propaganda. Per The Guardian:

The cable instructs… embassies and consulates to pursue five broad goals: countering hostile messaging, expanding access to information, exposing adversary behavior, elevating local voices who support American interests, and promoting what it calls "telling America's story". Embassies are told to recruit local influencers, academics and community leaders abroad to carry counter-propaganda messaging, an approach designed to make American-funded narratives feel locally organic rather than centrally directed.

Rubio's memo instructs posts to coordinate their work with the Department of War's psychological operations unit. We understand the desire for centralised coordination, but the DoW does have very different goals from the State Department.

This week, for example, Politico reported that a CIA disinformation operation was used to distract Iranian forces while the US military was extracting a downed airman who was stranded in Iran. The operation planted information that the airman had already been found and was being extracted out of the country by ground travel.

Despite this operation being credited to the CIA, it is a perfect example of a military deception campaign. It had specific military objectives, was tightly scoped to the area of operations, and it is difficult to imagine it could cause harm to civilian populations.

By contrast, rather than achieve specific objectives within a limited area of operations, the State Department typically wants to support American interests by winning friends and gaining influence globally. Additionally, the Pentagon's psychological operations have not historically been what we'd describe as sterling examples of best practice. 

What a shame there isn't already an office in the state Department that could be used to coordinate this work! But back in April of last year, Rubio shut the department's Counter Foreign Information Manipulation and Interference office, saying it had been used to "actively silence and censor the voices of Americans". 

The author of this newsletter had dealings with that office's predecessor, the Global Engagement Center. In our experience it was rightly focussed on countering foreign interference and funded projects that, amongst other things, characterised Chinese influence campaigns. 

Among the five goals in Rubio's cable were two separate and distinct directives: promote trustworthy information and reveal fakes. 

In regards to uncovering fakes, individual embassies are being asked to counter state-backed propaganda and disinformation campaigns that are well-funded, organised and have been operating for years. The directive comes at a time that we suspect US embassies already have more than the usual number of diplomatic crises to deal with. 

Rubio has helpfully provided suggestions for how diplomats should go about achieving these goals, though. They should use resources  such as X's Community Notes and unspecified AI tools. 

It is worth mentioning that Community Notes actually does very little to counter these operations. It is focussed on checking facts, rather than identifying and outing the campaigns themselves. A Bloomberg analysis found that Community Notes does not typically work for divisive opinions because, almost by definition, there is no group consensus. As a result Community Notes has become a target for coordinated inauthentic behaviour because if a malicious group can create the appearance of division, a community note does not get published. 

X tries to identify and counter campaigns when they reach Community Notes, but prior to Elon Musk becoming CEO it had a more ambitious trust and safety agenda. Back then, it would attempt to detect and neuter these organised inauthentic campaigns as soon as they appeared anywhere on the platform. 

As for the goal of promoting trustworthy information, the Trump administration has also cut funding to broadcasters such as the Voice of America, Radio Free Asia and Radio Free Europe. These organisations are run at arms-length from the US government, so local audiences could be more receptive to their message than say, from the State Department when it is being directed to "tell America's story". 

We are unsurprised that the US government's image worldwide is taking a serious walloping. In addition to unpopular foreign policy initiatives, it has also left the field wide open for malicious foreign disinformation and propaganda campaigns. Talk about leading with your chin. 

In the short-term, reinstating the State Department's counter-propaganda programs won't do much to turn around America's messaging problems. Disinformation and propaganda, however, is a game that America's adversaries are playing for the long-term. 

The State Department has known about this problem for a while. Back in October last year Intelligence Online reported that the Department was thinking about reactivating some of its counter-propaganda offices. At some point, we expect the US will start, once again, to actively counter these campaigns in an organised, centralised and more effective way. 

Until then we do have a memo. Diplomats, start filling out your Community Notes.  

Lawful Intercept Systems Are Enduring Targets

Chinese cyber espionage groups are targeting America's lawful intercept and surveillance systems. There needs to be a concerted effort to protect them. 

Last week Politico reported that the FBI declared a recent China-linked breach of its systems to be a "major incident" because it poses significant risks to US national security. 

The breach was first disclosed in early March and relates to a sensitive system containing information about law enforcement targets. A notice sent to Congress said that while the affected system was unclassified, it contained "law enforcement sensitive information, including returns from legal process… and personally identifiable information pertaining to subjects of FBI investigations". 

The notice continued that the hackers had accessed the FBI's infrastructure after making their way through a commercial Internet Service Provider. 

This is just the latest in a string of hacks targeting these types of systems. 

Salt Typhoon, the Chinese hacker group that has been on a tear compromising US and global telecommunications companies, has also had its sights on lawful intercept systems. Our understanding, based on careful parsing of reports from the 2024 hacks, is that the group compromised portals that telcos used to track lawful intercept requests. But it was not in a position to control the lawful intercept systems themselves. 

Assuming we are correct, that means that in both the 2024 Salt Typhoon breaches and more recent FBI hacks Chinese hackers were able to access information about who was being targeted for lawful interception by authorities. Even though this doesn't enable further collection, it is still a huge deal for US national security. 

Simply knowing who was subject to federal requests for wiretaps would be a goldmine for China. The knowledge could be used to adjust their espionage or transnational repression efforts. If their agent was being surveilled, for example, they could slam the brakes to avoid being caught red-handed. No wiretap in sight? It’s full steam ahead.

In the Salt Typhoon breaches of 2024, the hackers are believed to have targeted the calls and metadata of about 40 people including members of the Harris campaign, then former President Trump and his vice presidential nominee JD Vance. 

Possibly having intercepted Trump's phone calls is a huge deal, but there are pretty straightforward mitigations for this kind of telecommunications, infrastructure-based collection, like using encrypted messaging apps such as Signal. That's even the official US government advice.

There is, however, no equivalent easy-to-implement mitigation for lawful intercept systems. 

The Salt Typhoon targeting of these systems was discovered back in late 2024, but there was no in-depth report detailing exactly what happened or appropriate counter measures to take. In March this year, Congress was notified of the breach of the FBI's system.

Chinese hackers are engaged in an ongoing, persistent campaign to target lawful intercept systems. The best time to secure them would clearly have been before the Chinese hacked them. But rather than continue a steady-as-she-goes approach when the Chinese are obviously having some success, the time for a concerted defensive rethink is now. Let's hope we get it. 

Watch Amberleigh Jack and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. Anthropic's Project Glasswing: AI company Anthropic has given over 40 tech companies pre-release access to its new Mythos Preview model, which looks to be really very good at finding 0day. The idea is to give them a head start on identifying and fixing vulnerabilities before models this capable are more publicly released. The access comes with USD$100 million in usage credits. 
2. US spyware maker sentenced: Bryan Fleming, the American founder of pcTattletale spyware, was convicted of the making, selling and advertising of unlawful spyware. Fleming was sentenced to time served and a $USD5,000 fine.  
3. Germany doxxes ransomware kingpin: Daniil Maksimovich Shchukin was a key member of both the REvil and GandCrab groups according to the German Federal Criminal Police, the BKA. Krebs on Security has further coverage. 

Sponsor Section

In this Risky Business sponsor interview, James Wilson chats with Airlock Digital co-founders, David Cottingham and Daniel Schell, about how they’re moving up the stack from file-based allowlisting to application-based allowlisting. David and Daniel explain how they’re making a seamless and quite logical move into application allowlisting, but with a new take on the technique.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq discuss how Iran's cyber forces have been used during the ongoing war so far.

Or watch it on YouTube!

From Risky Bulletin:

Cybercrime losses passed $20 billion last year: Americans have lost almost $21 billion to cybercrime last year, more than any other since the FBI began tracking cybercrime data 25 years ago, the FBI said in its yearly Internet Crime Report [PDF].

Investment scams were again the top category in terms of losses, with $8.6 billion reported stolen, and almost $6.2 billion of that sum being stolen as cryptocurrency.

Cyber-enabled fraud accounted for 85% of last year's losses, almost $17.7 billion.

Investment scams has been the category with the biggest reported losses in the report since 2022, with total losses rising every year, so it's no surprise here and anyone watching the infosec space was anticipating this result.

[more on Risky Bulletin]

New Cambodian law will put scam compound operators in prison for life: The Cambodian government passed a new law last week that introduces big fines and heavy prison sentences for the operators and workers of cyber scam compounds.

The new bill passed unanimously in the National Assembly and Senate and was sent to the country's king to be signed into law. It comes after major international pressure from both China and the US for the local government to crack down on its sprawling cyber scam ecosystem.

The law introduces tiered penalties depending on a suspect's roles in the scam operation, such as if they acted alone or part of a larger cybercrime syndicate.

[more on Risky Bulletin]

Russia will revoke licenses for unruly ISPs: The Russian government will tighten operating requirements for internet service providers in an effort to kill small neighborhood providers.

The new requirements will include higher license fees, larger minimum operational capital, and mandatory deployment of the FSB's SORM traffic interception equipment.

According to reports from Izvestia and RBC, the new proposed rules would give the Russian Ministry of Digital Development, Communications, and Mass Media the power to revoke licenses without a court order for those who fail to comply.

[more on Risky Bulletin]