Taking the Narrative Back: A Q&A with Christopher Krebs
A candid conversation with the Founding Director of the US Cybersecurity and Infrastructure Agency
Gone are the days when information disorder only affected political campaigns. Case in point: More than 50 CCOs, CMOs, and director-level executives from industries spanning manufacturing to healthcare to consumer tech joined us for a conversation this summer about the threat of disinformation on their businesses. Hosted by Gail Heimann, CEO of Weber Shandwick, and myself, the session also featured Chris Krebs, founding director, Cybersecurity and Infrastructure Security Agency, Department of Homeland Security, and CEO Krebs Stamos Group.
Check out an excerpt of this candid discussion about the realities of information disorder, what’s in store, and how companies can prepare. Or you can listen to the session here. You’ll hear the group address essential questions about the clear and present dangers posed by information disorder — and share their perspectives on how communicators can take on this complex business problem.
Gail Heimann: Chris, you’ve been on the frontlines of this issue at CISA and Microsoft and now the Krebs Stamos Group for many years. Having been in the trenches, give us a sense of what you’re seeing broadly?
Chris Krebs: The last four years were about as fast-paced as I could have imagined. I still feel like catching up on sleep every day that ticks past now that I’m eight months out of the job. It still feels like I’m in recovery mode.
But when you think back to the 2016 election and the intelligence community report that highlighted three different levels of targeting by the Russians, it’s that third bucket of continuous disinformation campaigns that the Russians have launched against the US that stands out because it wasn’t necessarily about the election. It was a broader effort on behalf of the Russian government to undermine confidence. To cause chaos. To get into the psyche of the American people.
And it wasn’t always about right or left. Democrats or Republicans. They really got into the meat of who we are as Americans. The issues that play out on TV every day like racial inequality or gender identity. One of the best examples of the 2016/2017 era was Nike and Kaepernick. The Russian internet research agency that drove disinformation saw that cultural wedge. They knew how divisive it was. And so they used a US corporation as a pawn in their broader game. And that’s just one really small example.
The challenge here more than anything is the low barrier to entry compared to cyber security capabilities for instance, where you need technical acuity and scale to roll out a disruptive cyber operation. The barrier to entry for a disinformation campaign is very, very low. Moreover, there are close to zero consequences outside of losing your accounts or losing your infrastructure.
So there’s a lot of rinse and repeat that happens out there. And it’s not just state actors. It’s not just Russia. It’s not just Iran. It’s not just China. It’s conspiracy theorists. Look at what’s happening in the pharmaceutical space with anti-vaxxers notching win after win after win because they have asymmetry of information and a loss of expertise that puts corporations square in the crosshairs, where in some cases, from a regulatory perspective, they can’t even reactively engage.
So we’re seeing a proliferation in the threat actor space with an acceleration of the information ecosystem and the different mechanisms and platforms they can launch. And unfortunately American corporations everywhere — I mean the Gulf region is an absolute information warfare cesspool right now — are caught in the middle. They’re being used as pawns in a much larger game.
Corporations everywhere are being used as pawns in a much larger game.
Gail Heimann: So bigger ecosystem in the media, a lower barrier to entry, lots of players, and corporations caught in the middle. Got it. I’m going to segue to Chris Perry. Chris, we’ve been in this business for a while and this may seem a little foreign to the kind of counsel that we historically provide to our clients. But we have been in the issues and crisis management business for a long time. Is this an extension of that? Or is this something broader? Something different?
Chris Perry: I think the short answer is both. As Chris just explained, we’re definitely skewing toward the latter. We’re seeing a pretty epic ground shift that warrants the attention of everyone on this call and beyond.
We’ve been analyzing the situation and looked at it from the perspective of changes in the ecosystem versus some of the political and geopolitical sparring that Chris referenced. And we’ve seen so much change so fast over the last couple of years. The playing field is different. The actors are different. The tactics are different. This stuff is happening in highly visible places like Facebook. But a lot of it is happening off the radar of the bigger platforms out there.
And I think what’s very different, and what we’re going to get into more of this today, are the motives of different threat actors. They’re directed at corporations as much as politicians. This creates exposure that we want to tighten up and we’re going to get into some of the ways and means of doing that.
Gail Heimann: And I think it’s important for us to consider the reactive versus preparedness continuum and where this issue fits on that spectrum. I’m going to go back to Chris K. For those of us who check our feeds every morning, it feels like information disorder writ large has become synonymous with politics and foreign actors. There was some news around ransomware only yesterday that seems pretty intriguing. We’ve got a lot of senior leaders from a lot of companies represented on this call. Should they be worried about being caught in the middle of all of this?
Chris Krebs: No question. And the bigger challenge here is it’s not just about who you are as a brand or who your people are. It’s about who your company is, where they’re based, what they sell, who your people are, and the markets you’re operating in. Where are you targeting? Where are you trying to go? If you don’t have deep knowledge of these questions, you may step into a situation that you didn’t fully appreciate the complexities and the contours of.
Think about what happened with Wayfair. They were accused of child trafficking because some of the names of some of the products they were selling matched up with some missing children. Granted, the impact was not significant from a stock perspective, but again, this goes back to people. Their CEO and some senior executives got death threats. And so it’s not just about the brand or the shareholders. It’s about taking care of your people. Are you thinking through some of the bigger problems than to the extent you can anticipate them?
At a minimum, you have to have response capabilities in the playbook.
Gail Heimann: Anyone can be vulnerable it seems. So Chris, I know that you and your team have been tracking disinformation and disorders like disinformation, misinformation, narrative attacks, weaponized narratives, and deep fakes via our media genius franchise for several years. But this feels like a more urgent, slightly different phenomenon. So tell us, what’s different here? Why is the urgency growing?
Chris Perry: Part of it is mood. The mood’s darker, right? There are a lot of cohorts out there that aren’t feeling particularly good about certain situations and they’re very emboldened to act in ways that might fall outside of the norm. I think the tactics they employ are becoming more aggressive and they’re harder to track. Because again, some of this is happening beyond the platforms where there are data trails that you could see. There’s a greater willingness of various cohorts to extort, rebel, and challenge the status quo.
There’s a greater willingness of various cohorts to extort, rebel, and challenge the status quo.
And it’s not always about attacking an institution. It could be going after a system that underpins the economy, like the stock market. If you really dissect Wall Street Bets, and GameStop, there are various ways information is being used that are seemingly legal but embody the tone of rebelling and challenging the status quo. It’s gaming the system for economic benefit.
The technology is also a lot different. We’re on the verge of algorithms and automation changing the calculus of risk strategy. We’re on the verge of a massive automated content creation movement based on new technologies that we’re tracking tech like GTP3. We’re talking about roughly 300 apps that run on the ability for robots to create copy. We’re talking about billions of words produced every day. Just to give you a comparison, WordPress is one of the biggest content management platforms in the world, and that amount of auto-generated content is similar to what hits WordPress every day.
The idea of not only people but botnets being used to amplify certain content to game the media system is already happening. For example, some do-gooders are trying to amplify climate news as a way of elevating its importance and the search value to add value to readers. So you have this artificial distribution already taking place. And we’re right on the precipice of a deepfake movement. It’s not just us being parodied. This technology is going to be used to manipulate anything that might be seen as truthful from a content standpoint. You bring these forces together and they change the risk calculus.
Fortunately, we have partners in our mix that help us figure out what to do about that.
Gail Heimann: I think that’s key. I’m going to go back to you Chris K. Sometimes this feels serendipitous. It feels like there are random tweets and very small portions of users taking to social media to troll companies or individuals. But from what you’ve seen, what is the level of sophistication? Is this random? Are these small, bad actors? Are they big, bad actors? Who are the threat actors that could most impact companies?
Chris Krebs: There are five categories of threat actors.
The first consists of the political activist influencers. Think about what happened in the 2020 election. They have an objective they want to achieve. And unfortunately, companies can get caught up. For instance Smartmatic. The funny thing about Smartmatic getting rolled up into the political conversation is that they only exist in one part of the country and that’s LA county. And yet they are tagged with part of this broader effort to overturn the election. So the point here is that facts don’t matter. It’s narratives that matter. And you have to think about how you can be used to spin a narrative.
The second is extremist trolls. Think about the various groups that are emerging between the Proud Boys and Groypers. If you’ve tracked what’s happening with Pit Viper, which is a sunglass company, they’ve been co-opted by a white nationalist group.
The third consists of conspiracy theorists. These are people who, for whatever reason, believe some outlandish concept. I would probably throw the anti-vaccine community into that category right now. Disinformation super spreaders play such a dynamic role in this. Alex Berenson is a great example of an anti-vaxxer that has an outsized impact that gets amplified for broader reach. Look at what happened in Tennessee, where their department of health says they’ll no longer promote vaccines to children.
And then you’ve got profiteers. We already talked about what happened with GameStop. It’s people that are scamming the information ecosystem for their own benefit.
And lastly, which I think probably has an outsized impact from an assessment perspective, are state actors.
They overlap throughout the five — you could see two or three interacting on the same campaign recently with COVID vaccines. There was a campaign in Europe that was traced back to a Russian operation where an ad agency was trying to get influencers to promote misinformation about Western vaccines. Really what was at play here was the Sputnik V vaccine was trying to make up some credibility gaps with the Western vaccine.
So there’s this fascinating interplay of geopolitics, vaccine diplomacy, and prophet conspiracy theorists.
If you don’t have a process, a team, a framework in place to make sense of all of it, you’re forever going to be in a position of, “why is this happening to us?”
You can take the narrative back.
Gail Heimann: In the past, I think companies have felt they aren’t at risk. Maybe they feel they’re in a category that seems impervious to this kind of thing. But it feels like based on everything we know and everything we’ve heard in the last few minutes, that there are risk factors for everyone. So what would you say to a leader who feels maybe this isn’t a priority and how would you suggest they get into it?
Chris Perry: I think the way we get into it is to really talk about it. If you recognize that we’re dealing with new fundamentals and that they’re going to affect all companies, not just visible ones, the guidance might be to watch what you do as much as who you are.
There are certain things that an organization can do either knowingly or unknowingly that put them in the crosshairs. Things like standing out on certain social issues. Unfortunately being visible makes you a target. When thinking about purpose-driven planning and creative, we have to be mindful of that.
When a data breach happens, stolen information can be used not only for ransomware, but to expose malfeasance. What is shared through breaches can put organizations on their heels. Probably stuff that’s closer to home: misreading or overlooking reaction to certain communications acts is just a nonstarter. You just can’t put your head out there without really knowing how different cohorts might react to a message, a campaign, an action. And then that brings us to another territory — we can’t have our content showing up and supporting the wrong outlets or the wrong people. That brand safety element. Those are all examples of what you can do versus feeling secure because you’re a bit more under the radar.
Heineken is a recent example of a company promoting something seemingly normal — celebrate the vaccinated who are getting out and having fun — who got smoked for it. The reaction that impacts news coverage, it impacts social and it impacts search. If you look at the meme creation around this issue, a lot of it is just people messing around. But in aggregate it presents a very different picture than what a lot of us are used to seeing in the crisis and issues business. It’s new fundamentals.
Gail Heimann: A final question for Chris K. Earlier this year you spoke at an industry conference about learnings from the public sector. So what have government agencies done that could be helpful to companies and brands?
Chris Krebs: I think what I can give you is my own experience at CISA preparing for the 2020 election. We spent three and a half years preparing for a secure election. We worked through dozens of scenarios and we built playbooks and we conducted exercises. We had a pretty good sense of where things stood from a technical cybersecurity perspective. But it dawned on us that the power of the narrative was going to be much more impactful than a true technical attack.
So we had to take those playbooks and adapt them for a disinformation operation. So it’s preparation. It’s anticipating. It’s having playbooks. But let me close out with this piece. The adversary, Russia and China, in particular, don’t silo responses. The adversary sees information warfare as part of a bigger platform. And when we silo our response, it creates a much easier opportunity for them.
There’s a cyber security expert by the name of Dmitri Alperovitch. He famously said several years ago that there are two kinds of companies: Those that know they’ve been hacked, and those that are yet to find out they’ve been hacked. Same thing applies here. You’ve either been targeted by an information operation, or you’re about to be.
You’ve either been targeted by an information operation or you’re about to be.
How do you be proactive? How do you prepare for these same concepts that happen on the cybersecurity side? There’s opportunity here. It’s just seizing the moment and doing what’s needed to be ready.
Gail Heimann: Chris Perry, one last question. Do you think we’re going to see a compliance-type regimen on these kinds of issues for companies?
Chris Perry: I think so. It’s best for all of us to get ahead of regulation. There’s no question that the issues we’re talking about create points of exposure that ultimately will warrant a regulated response to make sure companies are better prepared going forward than they are today. We’ve talked with people far outside of the advertising and marketing community to really understand the compliance risks and regulatory elements. And no doubt, they’re coming.
This Q&A transcript was edited for length and clarity.
