I was interviewed for this article on the successful Russian active measures campaign otherwise known as the election of Donald Trump. The following didn't make the final cut, but I think is worth sharing.
Craig Timberg, Washington Post:
Could you please tell me a little more about your methods for tracking the origins of Russian tweets and stories? How do you know who is doing what out there on the Internet?
It's a good question: "How do you know it's the Russians?" My response deals primarily with activity on Twitter. Websites are easier to do attribution on.
It's not very hard when you identify in advance the accounts that are involved in pushing the content. We focus on the distribution networks. What we're doing now builds on years of observations. We didn't get involved in this because of the election - we were already in place, and then couldn't help but notice increasing Russian involvement.
Put another way, if you start with any given piece of disinformation and try to trace it back to the source, you're doing it the hard way. Spend a little time observing how disinformation is distributed in support of Kremlin policy objectives and you will start noticing the same people and patterns of behavior. Identify the distribution channels and you will know what the latest Kremlin campaign is not by analyzing the content or tracing it back to a particular website, but by noting who is distributing it, and where.
Note (added 2016-12-09): For an example of how this plays out in real time, see our article in the Daily Beast, and the addenda here. In short, we were already monitoring people like Marcel Sardo due to their involvement in distributing or promoting disinfo. So rather than finding a story about a non-existent attack on the NATO base at Incerlik and trying to trace it back to a source, we noted that Sardo was trying to make something of a story about an attack on the base at Incerlik that as far as we knew did not occur. It's small but important distinction.