The purpose of the DAD-CDM project is to gather and coalesce contributions from the public (see Q11) into an international standard for codifying and sharing information on threats to the integrity of the public sphere and best practices for responding to these threats while upholding the right to freedom of expression 1.
Users of the DAD-CDM standard are likely to include governments, corporations, civil society and media organizations, and information-sharing and analysis centers and organizations (ISACs and ISAOs 2). The primary objective is to ensure that DAD-CDM is accessible to a wide array of users engaged in combating threats to the public information environment, fostering trustworthiness in information sources, and promoting collaborative initiatives on a global level.
The main driver and use case for DAD-CDM is the modeling, codifying, categorizing, and sharing of research on Foreign Information Manipulation and Interference (FIMI).
FIMI describes a mostly non-illegal pattern of behavior that threatens or has the potential to negatively impact values, procedures, and political processes. Such activity is manipulative in character, conducted in an intentional and coordinated manner. Actors of such activity can be state or non-state actors, including their proxies inside and outside of their own territory.
Yes. The underlying DAD-CDM data model can be used to model any threat to the information environment that may negatively impact a target audience. For example, the model offers a range of additional use cases beyond its primary focus. For example, the model can be applied to identify, analyze, and share instances of reputational harm. It is also instrumental in addressing AI-generated deepfakes with the aim of manipulating employees. Moreover, DAD-CDM can be employed to scrutinize tactics and techniques used to influence humans during cyber attacks. These diverse applications showcase the versatility of DAD-CDM in mitigating various challenges related to disinformation and its impact on different facets of information trustworthiness. The DAD-CDM data model is itself agnostic. It is up to the users how they wish to use it.
Regarding the term ‘disinformation’, we use this as a short, umbrella title for influence operations (or ‘information manipulation and interference’) and resulting harm. All definitions are still being debated across the global community, as this arena – in the social media age – is still relatively new and emerging.
Influence operations combine various and multiple information influence activities. Information influence activities are activities conducted by foreign powers to influence the perceptions, behavior, and decisions of target groups to the benefit of foreign powers. Information influence activities can be conducted as a single activity or as part of a larger information influence operation combining various and multiple activities3.
The difference is intent. In addition to its popular use as an umbrella term, as described above, many in the defender community use the term ‘disinformation’ more specifically, as information that is false, misleading, incomplete, or out of context, and which is deliberately created, altered, manipulated, disseminated, or presented with the intent to deceive. Misinformation, by contrast, is information that is false, misleading, incomplete, or out of context, but which is not created, disseminated, or presented with an intent to deceive. Misinformation may originate as disinformation, or it may be created by error or mistake. It may then be spread unwittingly or in good faith by individuals who have no intent to deceive4.
DAD-CDM does not do content moderation. The project’s purpose is to define the elements, and the relationships between them, that compose influence campaigns (communication channels, narratives, media-content and so on). The goal is to enable relevant teams around the world to track, describe, and share their analyses using a common language.
Whether a communication campaign includes information that is ‘true’ or not is not the responsibility of the analysts. Equally, information does not have to be ‘untrue’ to be part of an influence campaign. Analysts are, therefore, not primarily concerned with separating fact from fiction – they are seeking to identify manipulation of or covert interference in another country's information environment by a foreign actor, along with seeking to recommend ways of addressing the many types of resulting harm.
DAD-CDM is an OASIS Open Project. This means that it is open to any member of the global public who wants to join in the conversation and contribute to the project. The project was proposed to OASIS by the DISARM Foundation. The DISARM Foundation collaborated with OASIS and several of its partners to craft a Project charter. OASIS then reached out to organizations they thought might be interested in sponsoring the project financially. Representatives from these sponsors then formed a Project Governance Board (PGB) for the project. The PGB has been meeting to decide how the project will be managed and administered and to draft a charter for the project’s Technical Steering Committee (TSC). The PGB will invite qualified individuals in the counter-FIMI community to join the TSC. The TSC will be responsible for collecting contributions from the public and using these to create ‘work products’, as directed by the PGB. It will then submit these to the PGB for approval.
Anybody can contribute to DAD-CDM. Contributors do not need to be members of the PGB or the TSC. These governance bodies exist to coordinate and steer the project, but contributions can come from anyone in the defender community or from anyone interested in defending the public sphere from manipulation and harm, and who signs a Contributor License Agreement (CLA). Countering information manipulation and digital harm and neutralizing the asymmetric advantage enjoyed by information manipulators requires a wide array of perspectives and capabilities in a ‘whole-of-society’ approach.
The process also needs to be fully open and transparent. This will ensure that any global standards that result will enable users to take account of the full spectrum of human rights as outlined in the Universal Declaration of Human Rights. This means that users are able to uphold the right to freedom of expression for content creators, while at the same time defending the right to freedom from harm for those impacted by FIMI and digital harm campaigns.
No. Contributing entities sign an Entity Contributor License Agreement (eCLA). Contributing individuals sign an Individual Contributor License Agreement (iCLA). The CLA only gives OASIS the non-exclusive right to use and republish the contributed content. The full rights remain with the contributor.
The PGB has not yet developed a timeline for the project. For those who would appreciate a detailed, technical explanation: there is a short-term goal that involves evaluating the applicability of the current version 2.1 of the Structured Threat Information eXpression (STIX) standard to modeling threats to the information environment and creating STIX extension definitions to fill any identified gaps. We expect to be able to kickstart this effort by leveraging some of the work already carried out by Filigran, developers of the open-source threat intelligence platform, OpenCTI.
Filigran is both a sponsor and contributor to DAD-CDM. They are contributing extension definitions for four STIX Domain Objects and one STIX Cyber Observable which are already in use within OpenCTI and being actively used by the European External Action Service (EEAS), the European Union Agency for Cybersecurity (ENISA), the French Service for Vigilance and Protection against Foreign Cyber-Interference (VIGINUM), Debunk.org and others.
The closest benchmark we have for how long it may take for the DAD-CDM project to perform an evaluation and gap analysis of the STIX 2.1 standard and propose new objects, properties, and taxonomies to fill the gaps and satisfy the most immediate needs of the counter-FIMI community, is the recent work carried out by the Incident Working Group of the OASIS Cyber Threat Intelligence Technical Committee (CTI-TC), which has been working for about a year on fleshing out the specification Incident and related object extensions to STIX.
Beyond this short-term goal, DAD-CDM aims to survey the landscape for existing models, frameworks, databases, and lexicons relevant to characterizing and mitigating threats to the integrity of the public sphere, including the manipulation of information through artificial intelligence. Based on this research, the PGB will decide on the next set of priorities and make a multi-year plan.
The DAD-CDM project aims to build upon the work of the cybersecurity community and not reinvent the wheel. The project charter states the project’s commitment to modeling ‘disinformation and hybrid cyber-disinformation threats’ using STIX and extensions to STIX. This has become the global standard for structuring information on cyber-threats. Based on STIX a rich set of open-source and commercial tools has evolved which can be used by threat analysts to understand and map out the threat environment. One such tool is OpenCTI, which is essentially a database of STIX objects with a sophisticated analytical interface. DISARM is a framework like the Mitre ATT&CK framework but for codifying behaviors (tactics and techniques) related to disinformation and FIMI. Techniques are modeled using the STIX object called ‘attack pattern’.
Again, for more technical readers, STIX represents information in JSON format, the universal data format used by data scientists and programmers. The STIX data model consists of objects and relationships between those objects. These can be displayed graphically as nodes (or vertices) and edges (or lines). This data model lends itself to link analysis, a powerful technique employed by threat analysts to ‘join the dots’ and build up a comprehensive picture of the threat. Because of its structure, data in STIX format is machine-readable and therefore easily automated, so that analysts can take advantage of the power of machines to ‘join the dots’. STIX data is shared through its corresponding transport protocol called TAXII, which stands for Trusted Automated eXchange of Intelligence Information.
In the case of FIMI, for example, if an analyst from one organization uploads a new FIMI investigation tagged using DISARM into an OpenCTI database, OpenCTI’s automated entity recognition feature will parse the report and extract the relevant attack patterns and other entities pertaining to FIMI and will automatically create STIX objects for these and relate them to the new report. An example entity might be a specific Telegram channel. Using OpenCTI the analyst quickly determines that the specific Telegram channel already exists in the database, since it was used in a previous FIMI campaign shared by another member of the ISAC, and that it has been attributed to a specific nation-state actor. The OpenCTI interface displays these relationships graphically for the analyst. Finally, so that others can benefit, the analyst uses OpenCTI’s streams or TAXII feature to share the new findings with other members of the ISAC. This example illustrates the benefits of structuring and sharing FIMI data in a standard manner 5. Real-world examples of FIMI analysis using structured data include the first and second FIMI reports from the EEAS.
The European Union and the United States through the Trade and Technology Council recently adopted STIX, DISARM, and OpenCTI as a common tech stack for exchanging structured information on FIMI.
Footnotes
-
The DAD-CDM vision aligns closely with the principles of information integrity being proposed by the United Nations. See https://www.un.org/en/information-integrity/code-of-conduct. ↩
-
See, for example, https://www.grf.org/, https://www.nationalisacs.org/, https://www.iaci.global/, https://www.enisa.europa.eu/topics/national-cyber-security-strategies/information-sharing. ↩
-
See J. Pamment, H. Nothhaft, H. Agardh-Twetman, A. Fjällhed, Countering Information Influence Activities. The State of the Art, Lund University, 2019, https://www.msb.se/RibData/Filer/pdf/28697.pdf. See also A. Wanless and J. Pamment, “How Do You Define a Problem like Influence?”, Journal of Information Warfare, Vol. 18, No. 3, Winter 2019, https://carnegieendowment.org/files/2020-How_do_you_define_a_problem_like_influence.pdf. ↩
-
These definitions have been proposed by the DISARM Foundation. ↩
-
For a discussion on structured information, see Chapter 3, ‘Structured Intelligence – What Does It Even Mean?’, in A. Roberts, Cyber Threat Intelligence. The No-Nonsense Guide for CISOs and Security Managers, Apress, 2021. ↩