The report, which is authored by researchers from the Center for Strategic and International Studies, points out that traditionally, cyber defense has focused on sensitive military and intelligence infrastructure. But that may be changing, according to their research, which involved tabletop exercises with cyber and foreign policy experts, as well as a public survey.
Adversary nations and non-state actors — such as cyber criminals, political extremists and “lone wolf” actors — may all seek to use cyber attacks to "destabilize” the federal government. Disrupting essential food and medical assistance services like SNAP and Medicaid could spark chaos and distrust in the federal government’s abilities. This could exacerbate polarization and make residents more open to believing misinformation and disinformation, cyber and foreign policy experts told the researchers.
Such attacks would be extra impactful if timed to strike during sensitive political moments, such as elections or foreign policy crises.
Attackers might also try to cause panic and economic disruption by hitting federal economic supports, like the Small Business Administration’s small and medium-sized business grant programs. They could also try to hack and manipulate federal economic data to create confusion in financial markets.
“Experts saw federal agencies that support economic activity as being most susceptible to cascading effects, with even small intrusions creating fear and panic likely to undermine trust and confidence in the federal government,” the report reads.
Experts also predicted that non-state actors would want to enhance polarization by hacking into public health research. Based on that research, attackers could then spread public health misinformation and disinformation. The resulting confusion would likely cause the public to doubt government health decisions and question the administration itself. Attackers could also try to deliberately deepen existing social divisions on matters like vaccines.
Federal defenders can respond to these risks, in part, by shifting to prioritize the protection of systems that provide basic needs. That can mean enhancing current threat hunting efforts as well as practicing how government can engage with the public during a cyber crisis, authors suggested.
Public outreach is also important to ensure residents understand cyber threats, what the government is doing about them and the funding needed to fuel such efforts. That can help win public support for cybersecurity work.
The researchers also found “a general lack of clarity and awareness about the U.S. government’s cybersecurity funding.”
One solution could be creating an entity that collects and analyzes cyber statistics and shares them with the public. The report notes, “there [currently] is no, single credible source of information about cyber attacks in the same way that there are public databases on everything from weather patterns to crime statistics to economic data.”
Public outreach efforts should also acknowledge a gender gap in perspectives on cyber threats and cybersecurity needs.
The researchers’ survey of 1,000 Americans found that respondents identifying as men were 27 percent less concerned about deepfakes being used “as a form of political warfare” than were self-identified women. Men also were 48 percent more likely than women to think current federal cybersecurity spending is enough. The report did not address other genders.
Women are more often targeted by malicious deepfakes and social media harassment than men, and so their higher level of concern might reflect the greater threats they face and anticipate facing, researchers suggested.
One takeaway is that government needs to do more to protect women — efforts that likely will involve working with private social media companies, researchers said. Findings also underscore that it’s important for the Cybersecurity and Infrastructure Security Agency and government CISOs to ensure cyber policies reflect “gendered perspectives.” Government may also want to tailor its cybersecurity public awareness campaigns to different genders.
Threat actors might launch gender-targeted attacks, such as using targeted misinformation and damaging deepfakes to try to discredit female political candidates, and they may seek to deepen gender divisions.
“The manipulation of gender-based differences through deepfakes and computational propaganda will exacerbate fault lines adversaries can use to further polarize society and undermine trust and confidence in governing institutions,” researchers wrote.
