Social media monitoring needs to be part of local agencies’ cybersecurity strategies, according to Lester Godsey, CISO of Maricopa County, Ariz., who spoke during the RSA conference.
Maricopa County is well-versed in how disinformation and misinformation spreading over these platforms can turn into security risks. Unfounded 2020 election fraud claims have inspired violent threats against election workers and their families and led to the county being subject to a widely criticized audit by firm Cyber Ninjas that saw the state consider seizing routers — which would have upended operations, Godsey said.
But observing online posts and conversations can tip officials off to risks as they’re developing, and the county has been using brand sentiment analysis tools, individual social media post analysis and collaboration with communications officials to help detect threats and counter false information.
Many people get their news from social media, with a 2021 Pew Research Center survey finding that 48 percent of U.S. adults “often” or “sometimes” get news on social media. As such, paying attention to social media is important for agencies that want to understand constituents’ views about them as well as discover and ready for potential attacks.
“From a cybersecurity perspective, we’re constantly in the businesses of risk … [and] if risk is part of your regular, daily activity, how can you not start paying attention to social media?” Godsey said.
Monitoring social media is especially helpful for detecting potential kinetic risks, Godsey said. He recalled an instance following the 2020 election, in which an individual posted on social media about seeing equipment being transported out of a government building into a truck. This was in fact an old device that a deputy sheriff was taking to salvage, but the social media poster believed it was voting equipment and other social media users encouraged the individual to follow the truck.
“This is a situation that could’ve turned really ugly,” Godsey said.
More recently, social media monitoring has underscored officials’ concerns about insider threats as they look to hire seasonal election workers.
“We’ve seen posts on social media saying, ‘Hey, Maricopa County is hiring, this is the opportunity to get the right people in there and see what’s going on,’” Godsey said.
Maricopa County has turned to the same kind of brand sentiment analysis tools used by many companies — in this case Hootsuite and Brandwatch, Godsey told GovTech — to help get a sense of the landscape and whether social media posts about the county are leaning positive, negative or neutral.
But much of the analysis needs to be done by people. In Maricopa, this falls to a five-member operations team that spends about 10 to 15 percent of its time each week reviewing posts. Members take time each day to examine social media posts and see if they seem to be reflecting the views of genuine individuals or if they may be part of a larger concerted effort, such as a messaging campaign from a nation state. The same phrasing cropping up across platforms and profiles could be an indicator of a coordinated effort at work that presents a cyber or kinetic risk.
This can be emotionally challenging work, with staff forced to spend significant time reviewing the more negative and “ugly” areas of the Internet, and organizations need to be ready to support staff members, Godsey said.
Depending on what the teams discover, they may warn law enforcement about potential kinetic threats or adjust firewalls to block activity from geographies from which they anticipate heightened cyber threats.
Governments that become aware of fomenting false narratives can also then work with communications officials to push out genuine, reliable information to counter it. Godsey recommends quick reactions, including tweeting out information in real time and responding to allegations.
For agencies looking to get started in monitoring social media, Godsey recommended first assessing what monitoring capabilities their organizations have — something communications departments likely can help with. Agencies will also want to update incident response protocols and plans to include some level of social media monitoring and be sure to educate other officials on why this work matters. Getting buy-in from leadership and others may require finding ways to continue to show the value, including with daily intelligence briefings about trends and other findings.
There’s plenty of reasons agencies should care, he said.
“If you care about reputation, brand, having trust, your bottom line — social media has the ability to influence all those things, positively or negatively,” Godsey said.