Meta milestone in curbing covert influence operations

Meta has announced that it has surpassed an important milestone this year in taking down more than 200 covert influence operations since 2017 in nearly 70 countries that operated in more than 40 languages, in addition to taking action against spyware vendors indiscriminately targeting people in about 200 countries and territories, as part of the growing surveillance-for-hire industry.
Meta has paid more than $2 million in bug bounty payouts this year, bringing the total reward amount to the security research community to more than $16 million since the start of one of the industry’s oldest bug bounty programmes in 2011.

Meta is sharing a number of updates on its work to protect people around the world against various threats — from run-of-the-mill hacking to commercial spyware to covert influence operations.

“This year, our focus has been bringing different teams and functions together to break down silos that are very typical for our industry, and enable stronger efficiency and knowledge-sharing between teams to protect both people and businesses. One example of this is our work to protect businesses from advertising fraud, which often starts with a personal account of a Facebook Page admin getting compromised. To combat this, we work across many teams: from security engineers who architect our authentication mechanisms, to threat intelligence teams who track threat actors, to integrity teams who use machine learning to detect abusive accounts and content, to the support teams who help remediate the issue,” said Guy Rosen, Chief Information Security Officer and Nathaniel Gleicher, Head of Security Policy.

Security is a highly adversarial space where we are constantly thinking about how our products, our policies and our enforcement may get abused, he adds.

“We have to keep evolving our defenses and processes in response to malicious actors trying to work around them. The stronger our defenses become, the more threat actors try to exploit even the smallest gaps in enforcement and expand their targeting across different services. This means that our industry must continue collaborating through information-sharing with each other and security researchers to raise the bar across the board,” Rosen said.

This year marked a major milestone in Meta’s enforcement against covert influence operations — the company has now disrupted more than 200 networks worldwide since 2017 for violating its Coordinated Inauthentic Behavior (CIB) policy.

These deceptive networks came from 68 countries and operated in at least 42 languages. Most of them targeted people in their home countries, and only around one-third aimed solely at audiences outside of their own countries, engaging in foreign interference.

The United States was the most targeted country by global CIB operations, with Ukraine and the United Kingdom following thereafter. Russia was the most frequent geographic source of CIB networks, followed by Iran and Mexico. Influence operations that originated in Russia most often targeted Ukraine, then African countries and followed by the US.

As larger tech platforms continue to catch these operations sooner, Meta expects threat actors to keep targeting smaller, less-resourced services. Information-sharing among researchers, industry and government will be all the more critical to help expose these networks.

Meta just published our second threat report, which provides insights into the growing threat posed by the global surveillance-for-hire industry which indiscriminately targets people — including journalists, activists and political opposition — to collect intelligence, manipulate and compromise their devices and accounts across the internet.

This year, Meta has taken down global spyware entities, including in China, Russia, Israel, the United States and India, who targeted people in almost 200 countries and territories. This industry exponentially increases the supply of threat actors by providing powerful surveillance capabilities to its clients against people who typically have no way of knowing they are being targeted.

In 2023, Meta expects this industry to continue targeting people wherever they are on the internet. Because surveillance-for-hire services cast their net so wide; no single company can tackle this alone. We strongly believe that we need a concerted regulatory response by democratic governments, as well as continued action by industry and focus from civil society.

“Our research shows that people are twice as likely to recover their Facebook account if their contact points — like the email address or phone number they have in their settings — are up to date, so we can reach them when they need help. However, people lose access to email addresses or switch phone numbers — a challenge that is recognized across our industry. We’ve also seen threat actors target people’s contact points to gain broader access to other online accounts connected to their email. In fact, when looking at compromised Facebook accounts, we found that one in four began with a person’s contact point being taken over. To help prevent and mitigate this, we’ve rolled out new security features and support options this year,” he added.

Meta also informed that its Bug Bounty programme continued to play an important role this year in enabling collaboration between its internal and external researchers to find and fix bugs across our apps. This year, Meta has rewarded about 750 bug bounty reports by the security research community, and it paid out more than $2 million in bounty awards — bringing its total to more than $16 million since 2011.

Finding and reporting security bugs: To help strengthen the security of the broader internet, Meta’s Red Team has found vulnerabilities and reported them to maintainers of open source libraries and industry peers, including Schneider Electric, Airspan and MITRE so they can patch them and protect their users.

Meta is making updates to its Bug Bounty programme, which include finding new ways to work with external researchers to help secure its virtual reality and mixed reality metaverse technology. It is also setting new payout guidelines with bounty amounts that range as high as $300K, making the programme one of the highest-paying in the industry.