Riku Ruokolahti: Reputation is a key force against information manipulation

In the information war, the battle is fought in people’s minds, and democracy as a system is based on people’s minds. It is precisely for this reason that democracy and its institutions are particularly vulnerable when an information influencer strikes. An organization’s reputation, in turn, is shaped by the shared perceptions people hold about each organization. This article explores information and cyber influence from the attacker’s perspective, as well as how organizational reputation relates to the issue.

From a cyberattacker’s perspective, it is essentially about machines and people, as well as the relationships of trust between them—and, more specifically, the exploitation of those relationships for the attacker’s benefit.

Let’s take an example. You receive a message from your child’s teacher that seems surprising but harmless. The message recaps what’s been happening in class. You reply to the message and mention issues related to your child’s health that the teacher already knows about. Except they don’t. They don’t know because the sender of the message isn’t the teacher, but a malicious attacker who knows you all too well. You’ve just revealed more personal information to them by mentioning your child’s health condition. The next message contains an attachment related to this very health condition, which you open despite your computer’s warnings. Of course you open it. Very few people wouldn’t.

You guessed right. The attachment is sophisticated malware.

The attacker in this case has done their reconnaissance and prepared their attack with great care. They have exploited your vulnerabilities as well as the relationship of trust between you and your teacher, and now they are exploiting the computer’s relationship of trust with its administrator. As the administrator, you opened the attachment despite the warnings. At this point, the attacker has gained access to your computer and is exploiting the trust relationships between the computer’s internal interfaces. And once trusted access was granted, the computer no longer questions these trust relationships as easily. Somewhere deep within your computer lies a lesser-known programming flaw that the attacker continues to exploit between your computer’s programs and your workplace’s internal network. After all, there is a trust relationship between your workplace’s internal network and your computer. Whether it involves machines or people, trust is at the heart of an attacker’s work.

If you encounter an attack that has been prepared with such care, you are likely dealing with confidential information or an organization of interest to the attacker. The ultimate target of an advanced attack is rarely a single person.

As we saw in the previous example, the cyber world isn’t just about targeting machines; a key aspect of cyberattacks is also messing with people.

This leads us nicely to the information environment and, further, to the influence of information. At T-Media, we once developed a longitudinal study that delved deeply into Finnish values. This was by no means a hastily cobbled-together set of questions; rather, in qualitative interviews, we heard from a very wide range of key opinion leaders (including the archbishop, the office of the president, state secretaries, cultural and arts influencers, senior citizen organizations, labor unions, think tanks, business representatives, young people, and representatives of various minority groups). Based on this groundwork, we created a quantitative metric that delved deeply into the values prevailing among Finns and their future changes. The study was given a name that did justice to the effort put into it. The study was named The People’s Values.

THE "PEOPLE'S VALUES" SURVEY

The "People's Values" study, developed and conducted by T-Media, was part of the Economic Information Agency (TAT)'s efforts to assess changes in its operating environment. The implementation of this extremely interesting study was cut short due to a lack of funding when the Economic Information Office TAT refined its strategy and shifted its focus to young people. Along the way, the name also changed: the Economic Information Office TAT is now known as Economy and Youth TAT.

Various public opinion polls and their interpretation are standard tools for intelligence services. They can be used, for example, to anticipate social changes or, at their most extreme, to attempt to predict how Ukrainians might react to a potential occupier. Research data is also an important tool in information operations. The “People’s Values” research report would have been a real treasure trove for a malicious attacker. The study revealed more than just values and how they are changing. It revealed the polarization of values—that is, the issues on which citizens strongly disagree with one another. It is precisely this information that is valuable to an aggressor in the context of information warfare.

When an attacker identifies social divides, they can effectively stir up discord among people. By intensifying this discord, people are driven apart and mistrust is fostered, which in turn undermines national unity and further impairs the nation’s ability to make decisions and take action. This is how entire nations are destabilized. One need only read the news or look around to understand how effective this is. American democracy creaked at the seams during the last two presidential elections and their aftermath. Information influence is said to have played a key role in Britain’s exit from the EU as well.

NEW WORDS AS PART OF INFORMATION INFLUENCE

An attacker might, for example, use online discussions to slip terms and neologisms into our everyday language that cause polarization and discord. These slip unnoticed into our everyday language, and a determined information influencer can watch the new life of the terminology they’ve invented take shape in the mouths of politicians, on talk shows, and even on TV news. The true origin of these terms is difficult to prove later on, especially since information influence is a long-term endeavor: these purposeful words may have been in use for over a decade. We may even use the language of the information war ourselves without realizing it. For example, before the war in Ukraine, anyone arguing on behalf of NATO was very easily labeled a “NATO hawk,” while criticism of the Russian government has, in turn, been attempted to be labeled as “Russophobia.”

The functioning of institutions depends on the trust of individuals

Society consists not only of people but also of institutions. In this context, institutions refer to specific organizations operating within the public sector, and they represent fertile ground for a malicious attacker. Citizens’ trust in their institutions is an absolute prerequisite for a functioning society. It is in the attacker’s interest, however, to undermine citizens’ trust in the social system.

At this stage, we’ll take the attacker’s perspective alongside the defender’s and also look at things through the eyes of a mediator. We’ve already become quite cunning by now, and it’s high time we started building trust around us alongside our destructive efforts.

As part of T-Media’s Reputation&Trust, we measure the level of stakeholder support for each public sector organization among the general public. This stakeholder support encompasses citizens’ trust in the organization, trust during a crisis, a desire to hear the organization’s views, a willingness to support the organization with tax dollars, a willingness to work for the organization, and the likelihood of speaking positively about the organization.

In short, these forms of individual trust and behavior toward a publicly funded organization constitute the social operating conditions of that organization. And from the perspective of information influence, it is precisely these operating conditions that an attacker seeks to undermine and that we, as members of society, wish to defend.

How can an organization’s operational capabilities be defended in an information war?

In order to build—and, when necessary, defend—an organization’s operating conditions, it is essential to understand where they originate. The purpose and history Reputation&Trust address precisely this question. In developing the model, we sought to identify, isolate, and articulate the generic perceptions associated with organizations that are linked to stakeholder support—that is, the operating conditions for public sector actors.

Reputation&Trust statistically models an organization’s reputation based on eight different factors. Learn more about the model.

Reputation&Trust has been widely applied to public sector organizations for years. The number Reputation&Trust individual Reputation&Trust in the public sector is impressive. This body of uniformly conducted surveys offers the opportunity to view the collected data as a whole and delve deeper into the subject.

The accompanying meta-analysis demonstrates the link between reputation and the operating conditions of the public sector. The meta-analysis yields a statistical model indicating that changes in reputation affect stakeholder support for the public sector by an average factor of 1.11. Based on this study, it can be confidently argued that reputation is a key factor for the operating conditions of institutions and, by extension, society. By developing their reputation, institutions earn the trust of citizens and build resilience in the event that attempts are made to undermine their operating conditions.

The observed reputation coefficient naturally presents an opportunity for both the attacker and the defender: even a slight damage to one’s reputation erodes the conditions for action when the reputation coefficient is high. Conversely, proactive reputation management builds crisis resilience when the reputation coefficient is high.

A meta-analysis of Reputation&Trust studies in the public sector

Each point in this figure represents a public administration organization analyzed Reputation&Trust between 2018 and 2021. The position of each point in the figure is based on the organization’s statistically modeled reputation and stakeholder support. The horizontal axis represents the organization’s reputation, and the vertical axis represents stakeholder support. Stakeholder support is derived from the average of the organizational operating conditions measured as described above (trust, willingness to speak positively, and so on). Reputation, on the other hand, is the organization’s reputation statistically modeled through Reputation&Trust. The statistical margin of error for each individual study (point on the map) depends on the standard deviation of the responses in that study, but in all the studies presented here, it falls between 0.04 and 0.06 on the 1–5 scale shown in the figure. The data set includes a large number of different Finnish public sector organizations.

Visibility is part of the defense

A representative of the institution might now be tempted to think that reputation issues are irrelevant to the general public if the organization is not very well known. This could be a dangerous way of thinking. I will explain why below.

The following illustrates the brand awareness of two different organizations.

Very few people are familiar with Organization A, whereas almost every Finn knows Organization B, at least by name. And when someone says they know an organization by name, they likely know considerably more about it than just a combination of letters. A name isn’t easily remembered unless it’s associated with a specific thing or image.

From an attacker’s perspective, these organizations are very different from one another. The public has a clear image of one organization, while few people are even aware of the other’s existence.

Does this mean that Organization A, which is relatively unknown, doesn’t need to worry about its reputation from the perspective of information influence? Unfortunately, this is not the case. In fact, from the perspective of information influence, Organization A may be an easier target than Organization B.

When there are virtually no pre-existing perceptions, perceptions associated with an organization can quickly emerge at the initiative of someone other than the organization itself. This may have been the case, for example, with the National Audit Office (VTV). I am not claiming that the events related to the VTV reputation crisis specifically unfolded from the perspective of an information influencer, but VTV is a good example of how the public perception of a little-known institution can very quickly become filled with negative impressions. Today, VTV is a well-known organization.

The phenomenon described above is, of course, an opportunity for an attacker. In a way, one might think that it would make sense for a publicly funded, nationally significant institution to keep the public informed, at least to some extent, about the institution’s existence, activities, and objectives.

I suggested that, from an attacker’s perspective, Organization A might be an easier target than Organization B, but this is not a given. The situation depends on Organization B’s reputation. Being well-known does not in itself equate to a direct defense capability. Let’s imagine that Organization B were the National Audit Office (VTV) with its current level of recognition. Any new negative information about the organization—whether true or false—would fall on fertile ground from the attacker’s perspective. The reception of new information would be influenced by confirmation bias: citizens would be quite willing to believe new negative claims about VTV as well, because they would reinforce existing perceptions of the organization. Consequently, it would be considerably easier to undermine the National Audit Office’s ability to function than, say, that of the police.

Given its reputation, Organization B could well be the police, which enjoys a fairly strong reputation and public trust. From the attacker’s perspective, this is precisely why it is difficult to undermine the police’s standing. Negative information about a reputable organization is not readily believed, even if it is true.

This phenomenon is known as cognitive dissonance. In short, it refers to the uncomfortable feeling that arises when we receive information that does not align with our own worldview. We easily dismiss such information and move on. In such cases, cognitive dissonance arises as a result of a strong reputation and is, in itself, a key defense mechanism. After all, as communication consultants often say: “Reputation carries you through crises.” This may very well be true!

Just to be clear, organizations A and B are not the National Audit Office or the police. The awareness surveys refer to example organizations, which remain anonymous in this context.

From the perspective of information advocacy, low visibility poses a risk to an institution, even though visibility in and of itself does not create resilience for the organization. Resilience in information influence is built through a good reputation, and a good reputation must be earned and built before problems arise, so that the buffer of trust and reputation can withstand the disruption caused by an unexpected situation.

WHAT, IS FINLAND A CORRUPT KLEPTOCRACY?

Even if it is difficult to undermine a key institution, this does not mean that attempts to do so will not continue. Time is on the attacker’s side. Over the long term, every organization will encounter mistakes or problems that a persistent attacker can exploit by accelerating their ongoing information operations.

We Westerners view the Russian political system as a corrupt kleptocracy. Right now, in the spring of 2022, an attacker with the will, resources, and timing afforded by an accurate assessment of the situation could effectively destabilize the Finnish system from the perspective we ourselves have created. By leaking real or fabricated allegations of corruption from the National Audit Office and linking these, through the Jari Aarnio case, to a narrative of police corruption, a sophisticated attacker could take advantage of this window of opportunity and sow seeds of doubt among the people that that our own system is a corrupt kleptocracy.

Reputation impact analysis is highly sensitive information

Let’s return to the cyber world for a moment. Silverskin Information Security tests various systems by attacking them systematically—but with permission, or rather, at the request of the organizations involved. Intensive penetration testing is sure to be noticed. At the very least, alarm bells should start ringing when an attacker tries everything possible—and impossible—at the same time.

Based on the results of the penetration test, a report is prepared for the client that details all the attack techniques and methods tested. The report also includes information on which methods breached the defenses and to what extent. Corrections are proposed for the security vulnerabilities found. Guess whether the report described above contains sensitive information. From the attacker’s perspective, the report is essentially a guide on how to gain access to the target system reliably, elegantly, and undetected. And if something has been fixed, we also know exactly how it was fixed.

An organization-specific reputation impact analysis based on statistics is, from the perspective of the information war, a report of exactly the same value. The impact analysis is based on correlation and regression analyses, and it directly shows which organization-specific perceptions have the greatest impact on the operating conditions of that particular institution. The analyses also reveal which perceptions are weaker—that is, which areas of the organization’s reputation people know least about or on which perceptions they strongly disagree. A sophisticated attacker would use the report in the following way:

The impact analysis would identify the factors that most contribute to and undermine trust in the target organization.
One would examine the factor analysis of the components and select the component of reputation that exhibits both the strongest disagreement and the greatest lack of knowledge.
It would launch a massive information campaign, targeting with surgical precision precisely that aspect of the target organization’s reputation where influence, disagreement, and ignorance converge.

By doing so, an attacker could undermine the target institution’s credibility with incredible effectiveness. All the blows would land precisely where the armor is weakest or nonexistent, and where a vital internal organ lies beneath the armor.

From an attacker’s perspective, the final penetration testing report and the impact analysis Reputation&Trust are essentially the same thing. They are like ready-made strategies guaranteed to succeed. They are also that for the defender, but from the defender’s perspective, success is not as certain, and the defender cannot afford to wait for the right moment. Breaking the rules is in many ways easier and faster than the systematic construction of beautiful things. That is precisely why crisis resilience must be built continuously, purposefully, and above all during times of peace—both in the cyber world and in the world of reputation.

Sometimes completely different paths can lead to the same destination

This time, cybersecurity and reputation have ended up in the same parking spot, reflects the author of this article, Riku Ruokolahti, Development Director at T-Media and lead developer Reputation&Trust . In addition to reputation management, Riku has been involved in various behind-the-scenes roles related to cybersecurity. Most notably, he has served on the board of the cyberattack company Silverskin Information Security Oy for over ten years and has worked as an investor and management advisor at Cyber Intelligence House, a company specializing in dark web intelligence.

Silverskin’s core philosophy is to enhance the overall security of businesses and societies by examining institutions from an attacker’s perspective and proposing corrective measures based on this analysis. CIH, on the other hand, collects information and monitors phenomena, events, crimes, and data breaches that occur under the cover of anonymous networks. Law enforcement agencies (including INTERPOL), societies, and companies utilize the data collected by CIH to prepare for and respond to threats.

The content of this article and the attack scenarios were reviewed by cybersecurity expert Mikko S. Niemelä. Mikko founded the cyberattack firm Silverskin and Cyber Intelligence House, which specializes in cyber intelligence. In addition, Mikko teaches cybersecurity at the National University of Singapore and serves as an advisor to, among others, the United Nations Office on Drugs and Crime (UNODC) and INTERPOL.