Russian interference in the United States’ 2016 elections fundamentally reshaped how internet platform companies approach security. In contrast to traditional content-moderation problems, influence operations like those we saw in 2016 were the work of networks of bad actors who deliberately abused product features to spread disinformation.
In the years since, several technology companies have adopted a model developed at Meta that goes beyond content moderation to integrate the detection of adversarial networks, the ability to disrupt their operations, and an information-sharing and disclosure regime designed to raise the cost to adversaries and reduce the impact of those operations. Since 2017, Meta’s teams have disrupted more than 200 covert influence operations from more than 60 countries. This cadence of disruption has complicated the ability of Russian and other influence operations to develop mature platforms for influence and meaningful audiences to target. Each time we disrupt these operations, we use our discoveries to train machine-learning models on the bad actors’ behaviors and detect them if they try to come back, and we re-engineer our products to make the terrain more challenging for adversaries. For example: After discovering in 2017 that Russia-based threat actors were using Facebook Pages to appear like American actors, our teams removed the deceptive pages and built tools to make the location of Pages administrators transparent, forcing bad actors to take substantial—and expensive—steps to evade detection.
As the technology industry has pushed back on these adversarial networks, they have evolved their tactics—becoming increasingly cross-platform and migrating to corners of the internet with more permissive (or nascent) moderation. In many cases, these operations fluidly cross between the online and offline worlds, relying on traditional intelligence techniques derived from pre-internet espionage—like the recruitment of third-party agents and the creation of forged documents—to enable their activity. And the perpetrators of these operations—once chiefly the domain of governments—are increasingly private for-hire companies operating as cyber mercenaries. These for-hire companies make it difficult for defenders to hold bad actors accountable, because the client behind the abusive activity is obscured. The evolution of these threats necessitates a whole-of-society approach to combat them. Larger platforms are getting better at identifying and disrupting bad actors, but meaningfully constraining their online activity requires cooperation across industry to raise defenses on smaller platforms that may currently lack trust and safety capabilities.
Governments, too, have an important role to play, as both defenders—by sharing actionable threat intelligence with the technology industry—and regulators. The growth of the for-hire disinformation and surveillance industries happened largely in a regulatory vacuum, with the strongest pushback on abusive spyware and disinformation-for-hire firms coming from private companies. Last December, Meta released detailed recommendations for governments to consider to more effectively constrain cyber mercenary actors, and there are heartening signs of progress.
Shortly after our report was released, Congress incorporated restrictions on for-hire surveillance procurement into the 2023 Intelligence Authorization Act and National Defense Authorization Act. In March, the White House released a landmark executive order restricting the U.S. government’s procurement of commercial spyware and imposing further restrictions on its sale and use. This order coincided with an initiative by the Cyber Tech Accord, Microsoft, Meta, and others in the industry to formalize recommendations to constrain cyber mercenaries. The European Parliament’s committee of inquiry on Pegasus spyware released detailed regulatory findings in 2023. There has not been a more opportune time for a multistakeholder approach: for industry, government, and civil society to push back against these threats together.
David Agranovich is the Director of Threat Disruption at Meta, where he coordinates the disruption of influence operations, cyber espionage, and adversarial networks across the company. Prior to joining Meta, David served as Director for Intelligence at the White House National Security Council, where he led the United States government’s efforts to address foreign interference in democratic systems and elections. He also served in a variety of senior roles at the Department of Defense, focused on Russian counterintelligence, organized crime, and corruption.
The war in Ukraine has shown that the tech industry has a meaningful role to play in enabling developers to strengthen defenses from cyberattacks.
David van Weel
Responding to the growing threat of hostile cyber operations requires a mindset shift toward greater civilian–military cooperation as well as more engagement with the private sector.
A Q&A with Dr. Peter Maurer
Transparency and rigorous data collection are essential to credibly tracking cyber operations during the Russia–Ukraine war— as are being neutral and facilitating redress for all victims.
How various international stakeholders have worked together to mitigate cyberattacks in the ongoing hybrid war.