Disinformation is undoubtedly on more people’s radars. But just because we know more about it doesn’t mean we are better prepared to face the challenge it is posing.
With normal cyber-attacks, governments and organizations are often targeted directly. Disinformation is different. Instead of attacking core infrastructure, bad actors or nation states attack the population by attempting to skew their beliefs.
Disinformation, a form of misinformation that is created specifically to manipulate or mislead people, is becoming more prevalent – mainly because it’s easy to create and disperse. The tools behind deepfakes and malicious bots have been democratized, creation can now be automated and disinformation-as-a-service has emerged.
The threat of disinformation has two key components. Nation states and bad actors use it to discredit governments and organizations, and target employees to infiltrate businesses from the inside.
In the UK, experts recently told a House of Lords inquiry that upcoming legislation should force internet companies to provide real-time information on disinformation. While CIOs cannot tackle this problem alone, they can take some steps to mitigate the risk.
Retaining Credibility
Nation states and bad actors can harm governments and organizations without targeting them directly utilizing a cyber-attack. For instance, they could impact the number of coronavirus vaccines administered by the National Health Service (NHS) by using disinformation to sow distrust about vaccine effectiveness or safety. Late last year, the media reported that hackers tried to break into the systems of researchers at AstraZeneca and the University of Oxford. In response, the National Cyber Security Centre (NCSC) stated that it was working to protect the UK’s most critical assets, the health sector and crucial vaccine research and development against threats.
It’s hard to control how disinformation spreads, but awareness campaigns can be run to counter the threat of disinformation, while also creating certified FAQs and resource pages.
In November 2020, the UK government and social media platforms agreed a package of measures to reduce vaccine disinformation. This includes ensuring a timely response to disinformation content flagged to platforms and joining new policy forums to prepare for future threats. In March 2021, the government also launched a social media campaign to tackle false vaccine information shared amongst ethnic minority communities.
While CIOs alone cannot regain control of information in the internet age, governments can consistently remind people that they represent a reputable source – and can be diligent in only driving citizens to other reputable sources. Governments and departments may even look to more traditional efforts, like marketing, in order to disseminate verified information.
Educating and Protecting Employees
But what does this have to do with a cybersecurity company? Some types of disinformation can lead to insider threats. Social media and other sources of inaccurate information can radicalize employees, who may feel compelled to steal sensitive data or IP. For example, activist group QAnon left “breadcrumbs” of secrets peppered with pledges and pro-Trump themes on message board 4chan.
Just as disinformation is now for sale, insider-threat-as-a-service also exists. While bad actors and nation states formerly attempted to bribe and extort their way to sensitive information, they can now either serve disinformation to existing employees, or ultimately become employees themselves.
To prepare for the former, organizations and governments need to implement more disinformation education and training programs. Employees should be required to take training to recognize disinformation and understand the techniques that can be used to skew the public’s common belief system, the use of verifiable information fused with false information to alter narratives and how to discredit reliable sources. As this relates directly to insider threats, by helping employees validate sources, organizations are protecting their data in the long run.
Additionally, in order to combat both types of insider threat, organizations and governments must be adept at continuous monitoring of user behavior. By having a baseline of normal user behavior, IT teams can determine if a radicalized employee is attempting to hoard data or access restricted information. There is simply no way to completely eliminate the threat of disinformation and malicious insiders. Thus, IT teams must put behavioral analytics in place to quickly identify and respond to potentially dangerous user behavior.
The Bottom Line
The tough reality is that, in an age of social media, there is no silver bullet to combat this real and growing threat. Everyone must be diligent about questioning what they see online, rather than simply taking it at face value and internalizing it as facts. IT professionals in governments and organizations should be most concerned about disinformation undermining their own credibility – and potentially turning their own employees against them.
Awareness is crucial to combating disinformation, but it should be supplemented by behavioral analytics. CIOs should proceed as if disinformation is already impacting both their employees and citizens – because it is. This is an all-hands-on-deck issue and it’s time to combat the threat of disinformation today.