The conflict in the Ukraine has pushed the term disinformation forcefully to the front of our minds. Having seen the term become common parlance during the Covid-19 pandemic it has almost seamlessly transitioned into the word of the day as we watch the war develop.
While disinformation is a powerful political tool it also has a clear role to play in ongoing cyber security issues. But how can disinformation impact private business and is it a genuine threat?
First, let’s take a closer look at what disinformation is…
The Global Disinformation War
The immediacy in which Russia shut down or restricted access to social media outlets such as Twitter and Facebook in the early stages of the Ukraine invasion show just how valuable information is any kind of conflict situation. Information warfare is not just fought on the battlefields. For Chief Information Security Officers (CISO’s) it’s also fought across the internet as information ‘noise’ grows louder through articles, blogs, news sites and social media.
Disinformation has greater intent than misinformation. Misinformation often means info that has been shared without malicious intent and justly or not, may contain factual inaccuracies. Disinformation has a much darker motive. It is information that is purposely incorrect by design. It may not be wholly incorrect, often the most believable disinformation campaign is that which contacts small elements of truth, but it has a malicious purpose to deceive.
Examples of disinformation can be false flag campaigns to justify military action whereas misinformation could be the famed “£350m extra to the NHS a week” promise around the Brexit vote. Misleading, yes, but at the time could not be proven to be false.
But why should businesses be concerned about media noise and the flow of bad information when they have IT infrastructure, GDPR and much more to manage?
Well, there is no getting away from the fact that disinformation is a clear cybersecurity issue. There are many instances where disinformation is already being used to undermine organisations, turn employees against each other, act as a social engineering lure or even form the basis for a ransomware attack.
Most worryingly, it isn’t just individual hackers and opportunistic cybercriminals that companies need to worry about; state-sponsored hacking groups are embarking on disinformation campaigns to create not just physical violence but also cyber attacks, too.
Well deployed AI can be a useful tool in recognising disinformation for private businesses. By identifying threats and spotlighting errors, infosec teams and CISOs may assess the level and type of response required. There are a number of verification tools that can be deployed to highlight the probability of disinformation across sources. Verifying news outlets, research credentials, geo locating images and even rumour / conspiracy theory challenges should be part of any CISO’s strategy on disinformation fightback.
Having a robust and actionable plan in place is critical. Dealing with disinformation should be a key part of the crisis management plan of any private business, organisation or government department. In an ideal world it will reflect a response to disinformation attacks that could be business critical, but also provide clear definitions of what constitutes disinformation in relation to business activities. For CISOs without the internal bandwidth to manage this kind of task, employing an external cyber security consultant is often a good option.
The intentions of disinformation versus misinformation are key in creating this action plan. A very simple illustrative example would be a customer leaving a negative review of a product on an online purchase. One negative review from a verified customer is worrying but also an everyday part of running a commercial operation. Repeated negative reviews, from unverified customers, using similar language and complaint themes that threaten a business’s operations and reputation require investigation.
They could be part of a disinformation campaign by a rival business intent on driving down competition in a similar commercial space. The distinction here is the malicious intent and ultimately, the response it requires as part of a disinformation action plan to counter these threats.
Information security in a world where misinformation and disinformation are so prevalent is becoming increasingly difficult. Where a CISO provides added value, is by delivering a strategy and action plan designed to react to the level of threat posed by disinformation and identify it’s overall intent and impact.