In 2021, Americans are feeling the impact of increased cybersecurity risk. Ransomware incidents are on the rise, alongside phishing and software supply chain attacks, breaches of critical public infrastructure and more. Ultimately these are problems which affect us on both a national level, and an individual one. For instance:
- A recent FTC report shows that over 300 thousand Americans suffered from credit card fraud in 2020, while more than 1.3 million were victims of identity theft
- According to the Identity Theft Resource Center (ITRC), the number of data breaches has already surpassed the total for 2020, while the quality of data stolen has increased
But while these trends are scary, none are more dangerous to our long-term security than global cyber actors who seek to destabilize nations by manipulating elections, propagandizing youth and using public emergencies to their advantage. All three have happened in America, and they will keep happening until we address the underlying cause.
Fortunately, our government has made moves in the right direction: with May’s Executive Order, for instance, the White House pushed federal agencies to adopt better standards of software security. However, further progress won’t be possible until our politicians understand the role their own political activities have played in endangering the nation.
How Third-Party Code Impacts Americans
Today, 90% of the code across consumer-facing websites is owned and operated by third parties. Third-party code also appears in desktop and mobile applications, handling complex user functionality like shopping cart and payment features, video and media rendering, advertising, monetization features and more.
But while most third-party code is innocuous and necessary for our globally connected society, some of it is controlled or hijacked by foreign adversaries. With no regulations and very little oversight to prevent this from happening, a small percentage of malicious third parties can impact Americans in big ways. For instance:
- Election Interference – in 2016, Russian operatives spent hundreds of thousands of dollars in programmatic advertising (a form of third-party code) targeted at American citizens ahead of that year’s presidential election. The same thing continues to happen in the present.
- Propaganda and Influence – through content recommendation features found across social media, news and entertainment sites, foreign actors can spread fake news and misinformation. Furthermore, they can target the story to the user based on their online history and preferences.
- Targeted Reconnaissance –by targeting specific areas and organizations, third parties can collect sensitive information about specific government leaders, executives and other individuals in positions of power. They may also use this data as an entry point for further data collection or cyberattacks.
- Exploitation of Emergency – during the COVID pandemic, malicious third-parties peddled false information regarding the virus, fake test kits and overpriced medical supplies. Such techniques can easily be used by foreign actors to create instability and confusion in the midst of a natural disaster or emergency.
Although it’s not uncommon for Alexa 500 websites to host more than 100 third parties per user session, most organizations are barely aware of their existence, much less doing anything to monitor or control their activities. But our politicians should be aware, especially since they heavily depend on digital third parties for their projects and campaigns.
A Deal with the Devil
Ultimately, the same properties which make third-party code so useful to foreign actors also make it useful for domestic politicians and government officials. The 2020 presidential election has been called a “digital election,” and not without reason: while traditional media like TV and print are still effective, in 2020, politicians spent 460% more on digital advertising than during the previous election cycle.
Aside from spending more than 30% of their combined media budgets on digital advertising, candidates Donald Trump and Joe Biden also maintained campaign websites with a high number of third parties. We found that a number of these parties originated from foreign countries:
- 96 domains on Trump’s website, with 12% (11) foreign-originating
- 150 domains on Biden’s website, with 16% (24) foreign-originating
Countries of origin ranged from America (Canada, and Brazil) to Europe (the U.K, France, Denmark and Germany), Asia (Japan and Singapore), and the Middle East (the United Arab Emirates, or UAE). While China did not appear in preliminary scans, third parties from nearby countries have a high probability of being operated by Chinese buyers.
The Need for Regulation
Ultimately, the relationship that U.S politicians have with digital third parties is understandable: they are quickly becoming the most effective way to spread a message and influence a base. But it has all the qualities of a Faustian pact: by leaving third-party code unregulated, foreign actors can access and influence Americans just as easily.
As foreign threat actors advance and Web technology becomes more sophisticated, the threat of malicious third parties will also dramatically increase. Before that happens, our lawmakers have a moral and patriotic duty to pass sensible regulations. At a high level, that means requiring organizations to:
- Continually track and monitor the activity of third parties across all of their digital properties (websites, software and mobile applications)
- Understand and publicly disclose the activities of third parties to users
- Remove bad actors as soon as they violate reasonable standards for user safety, and report them to authorities designated for that purpose
In the short term, such regulations will require politicians to sacrifice easy political gains and expend more effort vetting their digital partners. In the long term, they will help to ensure the long-term survival of our political system, and the Web as a channel for political advertising and engagement.