We interviewed Jon Brewer, COO of the DISARM Foundation, for our Common Good Cyber interview series about his experience of co-founding the organization. Its DISARM Framework supports efforts to capture and make sense of information influence operations.
Can you explain the mission of the DISARM Foundation and its framework for analysing and mitigating attack vectors?
The DISARM Foundation provides a free, open framework to help identify and respond to malign information influence operations (IIOs), which are adversarial or harmful information campaigns that aim to influence people or events in a deceptive way.
The DISARM Framework helps organizations analyze the threats and share insights in consistent ways, so that they can work together and respond more effectively. By using a common structure and language, defenders can gain a better, shared understanding of the nature and scale of these threats and coordinate ‘whole of society’ responses to protect against them.
Why is a comprehensive approach to the analysis of attack vectors essential for modern cybersecurity? How does it address gaps in current methodologies?
Currently, there isn’t a widely used method for analyzing IIOs—this is where DISARM comes in. Cyberattacks and influence campaigns often overlap, with the same actors, using the same infrastructures and interconnected methods , aimed at largely the same targets, and as part of shared wider goals and plans. Attackers might, for example, use hacking techniques alongside social manipulation strategies, where combined defense approaches could provide far greater defensive insight.
DISARM was built to fill this gap, inspired by MITRE’s ATT&CK Framework, which categorizes cyberattack methods. Similarly, DISARM maps out tactics and techniques used in IIO attacks. Experts, including those at the European Union Agency for Cybersecurity (ENISA), have recommended using both DISARM and ATT&CK in parallel to strengthen defenses against these evolving threats.
When you ask what gap this addresses, it is that an approach to tagging and structuring IIO threat data is needed, but has not been created and widely adopted outside of DISARM. Then bringing IIO closer together with cybersecurity, sharing infrastructure and protocols such as STIX, should enable greater effectiveness and further efficiencies in a world of hybrid threats.
Can you share a success story where DISARM’s work made a tangible impact in mitigating threats or disinformation campaigns?
The success stories are legion in the many reports that have already been tagged with the framework, making them simpler to understand – both in themselves and aggregated with other reports – and also in the shareability of the intelligence that they create. The DISARM Framework is central to the infrastructure that is being built to enable a whole-of-society approach to real time and long-term defense against IIO. But it is still early days. We have made good progress, but only a fraction of what we could have achieved by now with the right funding for our core needs and projects.
What are the primary challenges you face in securing funding for a framework aimed at attack vector analysis?
The primary funding challenge we face is structural, given that – as someone once put it bluntly – “funders don’t fund frameworks!”. They were very largely correct, but we’re still hoping there might be an exception to the rule that someone, somewhere will! But the point has to be taken, that infrastructure is a hard sell. The gas/electricity pipes under the pavement down the road are obviously not visible, unlike the houses that they service. And who would want to fund something that was not visible? Another analogy – there’s huge complexity inside a smartphone, but no one would ordinarily want to fund the inside workings, rather than the phone itself. There are things we can do to deliver more of a ‘solution’ out of the framework, but standards are a dependency that help create significant value. Whole sectors can be turbocharged by them, if not actually fail to be born without them.
What would happen if DISARM ceased operations? What would it take for another organization to fill the gap?
It would be a heavy lift for anyone to pick up – not just in terms of the administrative complexities and taking on the full understanding of the work-to-date, but also to be able to carry through on the detailed vision to meet the needs. And also in terms of getting buy-in from the global user community for whoever might be willing and able to pick it up. If another organization were to start from scratch, I think it might take between 1 and 3 years to regain the lost ground, subject to a number of factors of course. Anyone able to pick up from where we left off might still need 9 to 18 months to become effectively operational again. These aren’t easy calculations to make, but are my honest best guess as I first think about it here.
How can Common Good Cyber and other funding organizations support DISARM’s efforts to bridge cybersecurity and disinformation challenges?
Please step in and help! Obviously, we would welcome all the resources we need, and would love to talk with anyone interested to know more. Even if a funder is not able to provide the core funding we need, we do have a business transformation plan to get us to a point where we can be self-financing. But again we need a runway and the resources to be able to get us there. Thank you so much for asking about our work!
