The American View: Despatches from the Battle of Bradford-October 2020

I shouldn’t have to be say it, but you mustn’t believe everything you encounter on the Internet. This shouldn’t come as a surprise anymore. There are no Nigerian princes eager to share a massive cash reward with strangers. You’ll never win a lottery that you haven’t bought a ticket for. You can’t septuple your savings with cryptocurrencies. You’d think that twenty years of ubiquitous online nonsense, scams, and ranting loons would’ve successfully inoculated everyone over the age of five against online fraud and misinformation. And yet … no. Here we all are, just as gullible today as we were when the “ILOVEYOU” virus first struck twenty years ago. People the world over keep falling for relatively obvious hoaxes, phish, and fake news. Why?

 

It’s not because of any lack of education; most every organisation has some sort of mandatory “security training” requirement. Schools have media literacy and computer safety classes for children as young as kindergarten. After-school programmes like the Scouts have digital safety education activities like the BSA’s “Cyber Chip.” Security researchers post warnings, stories, and explanations of new online threats to social media on a daily basis. We have all the education resources we need with plenty extra to spare. By now everyone should be fully prepared to recognize and evade online deception-based attacks. And yet … no. People keep falling for them.

 

Bluntly, we’re the problem. All of us. It’s not that we’re unprepared for the threat; rather, we’re too quick to accept new content at face value and to act on it before our rational minds can focus on the content long enough to recognize the “tells” that a message is fraudulent. That’s what scammers, phishers, Russian disinformation operatives, and trolls bank on: they know we’re all distracted, stressed, busy, and only partially paying attention to the unceasing conveyor belt of digital drek flowing from our phones. The baddies know that if they can appeal to our raw emotions with something that seems plausible, we’ll fall for it. We’ll react before we can think. That makes us all perpetually vulnerable to misinformation.

 

So, what can we do about it? Give up the Internet? Abandon social media altogether? Not likely. What we need instead is a rigorous regimen of mental and emotional conditioning. Effective defence against deception-based attacks is a lot like biological defence against diseases: the more physically “fit” you are, the more likely it is you’ll be able to resist an invading organism. That’s why soldiers constantly work out. The more physically fit you are, the healthier you tend to be, and (logically) the less susceptible to fatigue and illness you become. Knowing that fact alone doesn’t make you more fit; you must regularly work out to build both muscle and endurance. So, too, we need to regularly “work out” regularly with mental and emotional challenges that force us to become more cautions, more sceptical, and sharper eyed. We need to routinely condition ourselves to spot and disengage from balderdash when it appears in our media feed.

 

How do we condition our emotions, though? Especially if we don’t work for a large organisation with a formal phishing defence programme? It can be easier than you think: military-grade problems warrant military-grade solutions, and the RAF has stepped up to help the general public! Kind of. Specifically, RAF Luton volunteered to help. Sort of. Really, it’s @RAF_Luton on Twitter putting in the spade work. This account is, in their own words, “The assumed Official Twitter account of the world's most mysterious & secret (and fictitious) military base.”

 

To be clear, there is no real Royal air Force base in Luton; hasn’t been since the days of No. 264 Squadron during World War 2. @RAF_Luton is the public affairs arm of a “secret military airbase” that doesn’t exist. It’s someone – I honestly don’t know who [1] – having a bit of fun on the Internet and, in the process, doing a lot of good in the struggle to inculcate better cybersecurity behaviours in its readers. Every day, the @RAF_Luton crew release an interesting photo of some contemporary or historical military activity or other with a typical military PAO’s explanation of what’s happening in the photo.

 

That’s where the game changes: only the photos are real. Real airplanes, real scenes from history, etc. The captions, though, are so thoroughly, deliberately, and artfully wrong that that there should be no conceivable way that anyone could interpret them as truthful. And yet … people do. Readers who aren’t wise to the game see a photo of a plane, read its misidentification, and react as if the poster was earnest. I’ve seen Twitter users offer gentle corrections and indignant rants, having completely missed the joke.

 

Take this post from 2^nd October, for example. Go on. Read it quickly:

 

Does that seem legit to you? Notice anything … odd … about it? Like, maybe, that it’s so full of crap it’s overqualified to run for political office in America?

 

If you’re not a military aviation buff (like, sadly, my own kids), here are a few clues that might tip a person off that this is not, in fact, a brace of nuclear gravity bombs slung under a WW2-era Supermarine Spitfire:

1. Supermarine Spitfires were fighters, not bombers; they didn’t have internal bomb bays, let alone a “cargo hold.”
2. Spitfires are tail-draggers; they don’t have retractable landing gear in the fuselage like the pair shown in the photo.
3. Spitfires were relatively small; a grown man (like the airman in this photo) could not walk under one even by ducking.
4. There are, regrettably, no known examples of military ordnance – nuclear or otherwise – named after video game franchise lead character “Duke Nukem.”
5. No nuclear bombs have ever been dropped on Bradford, especially not in WW1 (we would have noticed) …
6. … and nuclear weapons didn’t come along until WW2.

 

Here’s the thing: a reader only has to recognize one clue in the post to realize that it’s utter nonsense. Not exactly a difficult challenge, right? Most people caught the joke and cheerfully joined in with their own “fond remembrances” of the Bradford Incident … Still, a few readers missed the glaringly obvious clues and reacted to this as if it were real. That’s okay;it wasn’t a malicious post. No one was radicalized or provoked to violence by a miscaptioned historical photo. It didn’t try and drive a wedge through society, exacerbating existing cultural or political fault lines. Like a training bomb, it could only hurt you if you negligently mishandled it.

 

I think it’s brilliant. Helpful, too. I argue that @RAF_Luton is performing two important public services: first, it’s injecting some much-needed levity into the sewage inferno that is contemporary Twitter. Second, and much more importantly, it’s occasionally shocks people into realizing that not everything they read on the Internet is true. We need that. Desperately. We needthe aforementioned mental and emotional conditioning to keep us at the top of our defensive information operationsgame. We need to be reminded – every day – to stay sceptical of unverified online content.

 

To be clear, @RAF_Luton can’t save us from our own bad online habits all on its own. We all need regular practice at spotting the “tells” of a deceptive post. Phishing simulations are fantastic for this purpose; every time a person falls for a well-crafted phish, the immediate feedback they receive helps to train their instincts. Well-crafted programmes eliminate embarrassment from their phishing; they make it clear that the baddies don’t play fair and everyone is vulnerable. Each failure is a chance for improvement. Each phish is a workout of sorts. The more you practice, the better you get over time.

 

The thing is, commercial phishing training programs are all marketed to businesses and other large organisations. I’m convinced there’s an unmet need in the market for direct-to-consumer phishing defence training … a subscription service that randomly and artfully launches real phish (with benign payloads) at its customers and provides immediate (and entertaining!) corrective education materials when a customer falls for a phishing lure. Call it “mental and emotional conditioning as a service.”

 

Until someone sorts that out, though, we have @RAF_Luton. Follow them – if you aren’t already – and maybe see if we can get GCHQ or the Ministry of Defence to underwrite them with some sort of cyberdefence grant.

---

 

[1] I contacted the operator(s) of @RAF_Luton before writing this article. They were exceptionally kind, but don’t do interviews. Pity, since I’d very much like to buy them a round for all the good they’ve done and the mirth they’ve provided.

 

Pop Culture Allusion: James Kennaway, Wilfred Greatorex, Derek Dempster, and Derek Wood, The Battle of Britain (1969 film) based on Dempster and Wood’s 1961 book The Narrow Margin: The Battle of Britain and the Rise of Air Power 1930-40