Amid the artillery strikes and armored assaults, several quieter aspects of Russia’s invasion of Ukraine require closer attention, including targeted phishing and malicious data mining.
Russian operators, or at least their supporters, have flooded the inboxes of Ukrainians, particularly military service members, with malware-laden email. This tactic can be used to distribute disinformation and amass personal data to further their effort of compiling lists of Ukrainians for detention and harm. Similarly, thousands of text messages have reportedly been sent to local police and military members. This risk is not unique to Ukraine, and U.S. leaders must take steps now to harden the United States and protect its service members against similar tactics.
It is the new normal for military service members and veterans to be considered high value targets in the information war. Russian disinformation efforts have already targeted Americans with tactics like creating fake accounts for individual veterans and veteran service organizations such as Vietnam Veterans of America on social media. But the threat is not limited to social media. There are significant risks to military operations due to data collected for targeted advertising. This data can be used to deliver misinformation and disinformation, and can even amplify propaganda if bad actors purchase or access the data and weaponize it.
Name, service identifier and address may be covered as personally identifiable information (PII) under some laws, potentially mitigating this problem. But it is easy to identify people with simple information from their cell phones, whether that comes from ad identifiers or the phone number itself. Ad identifiers can be aggregated with other tracking information by numerous entities, from online advertisers to data brokers, to reveal patterns of daily life such as where someone lives and their political preferences. If this were only about selling sneakers, it would be less of a risk. But when this data becomes a vector to target and harass individuals, it is a national security concern.
The implications are severe when directed at the military. And this is not hypothetical — service members have already been targeted and face digital privacy concerns. For example, one service member was falsely identified as patient zero at the start of the COVID-19 outbreak, which led to a torrent of attacks online against her.
And the threat expands when companies like ID.me, which sell targeted advertising, gathers lists of service members and veterans. Service members usually show their identification card for military discounts, but now some companies require enrollment through ID.me instead of showing a physical ID. Controversies around the accuracy of ID.me data and issues with facial recognition already led one federal agency to withdraw its requirement to use it to access government services.
Linking biometric data and even publicly available information with service data creates a target of opportunity for malign actors looking to identify and target service members and their families. Service members are waking up to this threat, even if the services remain hesitant to address it. Service members increasingly use apps like Signal for texting about work even though this is a violation of Department of Defense (DoD) policy. But using commercially available apps means trusting the app developer, which brings its own risks to operational security as the tracking of Russia’s military activities in Ukraine demonstrates. DoD’s response that personnel should be using an approved method misses the fact that most service members do not have access to government-issued devices.
To move toward increased security and privacy, three steps must be taken.
Congress should either act on federal data security and privacy legislation that specifically protects service member data or pass stand-alone legislation. Data privacy legislation has been on hold for years, but the conflict in Ukraine demonstrates that protecting individuals becomes a national security issue when full-scale hostilities begin. Legislation should at least govern how civilian companies collect and sell information on service members and their immediate families. This could be a foundation for uniform data privacy and security measures for all Americans.
The military also needs to better educate the force on the risks of social media and how companies collect service member data. For example, TikTok is already banned from government devices, yet countless service members use it on their personal devices — sometimes displaying themselves in military uniform. TikTok’s privacy policy states voice and other biometric information can be retained, and it uses ad identifiers as well as location information. And while this is from a Chinese company, U.S.-based companies present risks too, because sensitive information can be gleaned from the data. To address this, the military should limit the tracking of users on DoD networks and work with companies that collect and sell service member data to improve security collaboratively.
Ultimately, the DoD must embrace privacy as a national security priority. New technology should be developed so purely civilian products are not needed to cover DoD gaps. Something simple like an approved secure messaging app that can be used on personally owned devices without significant hassle would help. The DoD needs to ensure that there are no service members left without access to necessary systems, which could leave them unprotected, and should improve product usability to avoid less secure commercial alternatives from being used. The military overall needs to take a more expansive view of privacy beyond PII, which despite monotonous training requirements, frequently isn’t that well protected.
The United States should act now to better protect our service members and their families, veterans and national security overall. As the tragic situation in Ukraine demonstrates, the threats present in the information warfare space will only expand.
Jessica Dawson is the Information Warfare Research Team division chief at the Army Cyber Institute and holds a PhD in sociology from Duke University. Her research is focused on the digital disruption of social processes, narratives and privacy.
Brandon Pugh is a senior fellow and policy counsel on the R Street Institute’s Cybersecurity and Emerging Threats team. He continues to serve as an international law officer in the U.S. Army Reserve and previously managed the Journal of Law & Cyber Warfare.