EEAS Report on Foreign Information Manipulation and Interference Threats

ANALYSIS CYCLE: ESTABLISHING A STRATEGIC AND SELF-REINFORCING WORKFLOW The Analysis Cycle is a meta-methodology to provide one core workflow that delivers both on the long-term objective of systematically analysing and disrupting FIMI and providing insights in the short-term for quick and timely reactions In the (1) Strategic Monitoring phase, the ecosystem of known FIMI assets used by a threat actor to engage in manipulation is mapped These assets can be overtly associated with a foreign actor, or have been attributed by the FIMI research community according to current best practices 29 A good example of such a mapping is the infographic “Russia’s Disinformation & Propaganda Ecosystem” depicted in Figure 17 (later also built upon by euvsdisinfoeu)30 Systematically monitoring the activity of these known FIMI channels allows us to understand patterns in their behavioural tactics, and spot potential new channels of that ecosystem, for example through suspicious amplification patterns of hitherto unknown outlets. The (2) Prioritisation & Triage phase aims to filter the onslaught of activity by these FIMI channels to high priority and potentially harmful instances Beyond ensuring that the data collection aligns with the definition of FIMI, we also prioritise incidents on issues that are of direct policy-relevance to and within the mandate of the EEAS.

Systematically cooperating with other stakeholders in the FIMI analysis community that cover the respective priority actors and issues of their organisation completes the picture This last point is why a shared analytical framework and methodology is so crucial for successfully disrupting FIMI globally Next, the (3) Incident Analysis & Evidence Collection phase focuses on an open-source analysis .This includes the connections between different channels of the ecosystem, for example in terms of how they amplify a specific piece of misleading content, where it was seeded, and what TTPs were used in the process of doing so At this stage, analysts encode data on the incident according to the taxonomies outlined below Since threat actors often delete traces of their activity once they achieve their objective, it is important to systematically archive evidence for future reference In doing so, analytical operations need to be consistent with their organisation’s commitments to comply with the General Data Protection Regulation (GDPR)31 as well as with best practices for archiving evidence in a reliable and trustworthy way For practical guidance, see the Berkeley Protocol on Digital Open-Source Investigations.