Last year, experts expected great things from 2020: thanks to the upcoming Summer Olympics, developments in AdTech, and the election cycle, digital advertising was projected to grow by 6.6% this year, raking in higher revenue and more customers than ever before. But for most people, this has not been a good year, and - four months on from January 1st - we have witnessed an average 10% decline in ad revenue across industries. It’s fair to ask: “what happened?” But the answer is already obvious: “coronavirus”.
When it hit, nobody was expecting the COVID-19 pandemic that now sweeps across Asia, Europe and the Americas, which is poised to overtake the 1918 influenza pandemic in cost of life and economic loss. The Dow Jones has fallen by more than 3,000 points as consumers – following the guidelines of America’s best policymakers – stay indoors, away from public locations and retail outlets.
Right now, one thing is on everybody’s mind and – thanks to a demand for commodities like toilet paper and face masks – ecommerce sites like Amazon are doing well. Digital advertisers, on the other hand, aren’t reaping the benefits of this increased online activity because – in an effort to prevent price gouging, misinformation and opportunistic fraud - “coronavirus” (and variants) is now the second most blocked word across ad exchanges.
This incident serves to dramatically illustrate a deeper point: advertisers are now facing the repercussions of neglect that has left the web vulnerable to a variety of abuses over a period of two decades. Now – as the Web faces dramatically increased traffic from remote employees, online school children, and potential victims searching for answers – these threats are having a real-world impact on our ability to cope with COVID-19.
The word “virus” now refers to any non-living agent of destruction and replication, whether it propagates through interconnected digital systems or biological ones. When a virus becomes a global threat, it also becomes a pandemic: by this standard, we have been in the middle of a digital pandemic for many years.
Thanks to third-party code (3PC), attackers have an easy route to Internet users through websites, apps, and IoT devises. It comes in many forms, from pop-up ads and malicious redirects to web plugins such as targeted content recommendation and photo galleries: by tracking users through cookies and browser fingerprinting, 3PC can follow them from one device to another, stealing sensitive data, redirecting them to malicious sites and bolstering fake news.
Today, 85 – 90% of the code across major media websites is not owned and operated (O&O) by the brand: the gaps are filled by 3PC, which is rarely monitored, leaving backdoors for hackers and other malicious agents to steal data or money and spy on users. Because of third-party code, large-scale attacks impact multi-billion-dollar corporations: although the details of these incidents are rarely published, look at last year’s headlines for data breaches, and you will almost certainly find an example of malicious 3PC at play.
Through malicious advertising (malvertising) and third-party content recommendation, foreign attackers are able to promote ideological messages and subvert American elections from the outside. In January of this year, Iran managed to deface a military website with anti-American propaganda through vulnerabilities in a third-party app. Thanks to the government’s rigorous security standards, no classified information was stolen - nevertheless, this event shows just entrenched 3PC has become even at a federal level.
Trust for corporations and digital publishers has plunged – just as consumers are fleeing from brick-and-mortar stores to avoid COVID-19, they are using ad blockers that reduce publisher revenue to avoid 3PC. Unfortunately, they are justified in doing so: today 20% of ad spend is fraudulent, leading to phishing attacks, credit card fraud and rampant quality issues even on Alexa 200 websites.
Unsurprisingly, these attack routes are used to prey on the vulnerable in the midst of public disaster. Within the past two months, we have seen the launch of fake CDC sites and other sources of misinformation that target those at-risk-of infection, including the elderly and immunosuppressant. Meanwhile, children are spending increased amounts of time online while away from school: while they are safe from physical infection, they are not safe from malware or attackers.
During the COVID-19 crisis, some have voiced their concerns that the Internet will suffer from low bandwidth, leading to poor video streaming through services like Netflix. We would like to suggest that – while the ability of Americans to binge-watch episodes of Friends is certainly worth protecting – the overall integrity of our information highway is and ought to be a much higher priority.
The status quo is not enough. For years, the government and private sector exclusively worked to protect their own interests online, and as a consequence, the public web has deteriorated to the point that it is harming our nation at multiple levels.
Fortunately, it isn’t too late to fix this problem: but doing so will require cooperation from every stakeholder in the digital economy. What Big Media and AdTech companies couldn’t accomplish by themselves can be accomplished by working together with publishers, vendors, legislators and government bodies. As the digital pandemic encroaches on our daily lives, the time has come to seek a cure, and here’s what it might look like:
The first step in beating COVID-19 is to find where it’s hiding so communities can be protected and individuals can be treated. The exact same thing applies to 3PC: publishers should be looking for malicious code in their ads, parked domains, software developer kits (SDKs) and plugins. Likewise, AdTech agencies and ad networks should be scanning thoroughly for infected ads in their supply chain and identifying the worst offenders.
“Quarantine” and “social distancing” are two words which have become popular of late, and they ought to be vigorously applied within the digital ecosystem. Just as carriers of COVID-19 should stay inside and avoid contact with others, publishers should cut off access to third-party partners who are using their site to spread malicious code, while AdTech agencies should suspend them on sight.
Right now, doctors cannot do much for COVID-19 except symptom management: only when a cure is discovered will it be possible to eliminate the virus from infected patients. Publishers, on the other hand, can do more than manage the symptoms of 3PC through a Content Security Policy that forms a permanent defensive barrier against the malicious code that harms their users.
The last step is the single most important one for dealing with the digital epidemic: just as the government has played a crucial role in enforcing stay-at-home policies and social distancing, it must work with the digital advertising community through law enforcement to protect the digital economy from malicious code for years to come. In time, we may live to see a cleaner and freer web: but that future will only be realized if action is taken now, while it’s still within our grasp.
by CHRIS OLSON
Digital3PC.com is an independent platform that brings together the best minds from tech, government, research, and academia to shape the future of cybersecurity policy and offer best practice solutions when responding to cyber threats. The most common access point for malware spread, data breaches, IP theft, election meddling, disinformation campaigns, and cyberwarfare is malicious third-party code (3PC) that makes its way into our websites, apps, and IoT devices. The compromise of the digital ecosystem erodes user trust and the credibility of media organizations, and undermines the integrity of our democracy, economy, and public safety.