Disarming Disinformation: Why CISOs Must Fight Back Against False Info
The UK company had been in business only a few months and was already receiving praise from the press, including an article in one well-known publication. But that seeming good luck didn’t last: Within a month, malicious — and false — stories started appearing that said the staffing firm had hired out a woman to work at a strip club.
The company was the victim of a misinformation campaign. Luckily, the business was fake, part of an experiment run by intelligence firm Recorded Future.
To gauge the effectiveness of commercial disinformation campaigns, Recorded Future sought out services to bolster — or undermine — the fictitious company’s reputation. In less than a month, and for a total of $6,050, the company hired two Russian services to spread disinformation using a surprisingly extensive online infrastructure, ranging from social media accounts to online writers, to spread information, says Roman Sannikov, director of analyst services at Recorded Future. The list of publications in which the services claimed to be able to place stories ran the gamut from fake news sites to a top international news service.
“Companies need to be hyper-aware of what is being said on social media and really try to address any kind of disinformation when they find it,” Sannikov says. “The gist of our research was really how these threat actors use these different types of resources to create an echo chamber of disinformation. And once it gets going, it is much harder to address.”
Beyond Politics
Disinformation has become a major focus in the political arena. In 2018, the US government indicted 13 Russian nationals and three organizations for their efforts — using political advertisements, social media, and e-mail — to sway the 2016 US presidential election.
Yet such campaigns are not just useful in national politics. Disinformation campaigns are enabled and made more efficient by the data collection and capabilities of modern advertising networks. While companies like Cambridge Analytica have pushed the boundaries too far, even the legal abilities of advertising networks can be used to do great harm.
“The targeting models that have allowed advertisers to reach new audiences are being abused by these hucksters that are trying to spread false narratives,” says Sean Sposito, senior analyst for cybersecurity at Javelin Strategy Research. “The advertising industry has built a great infrastructure for targeting, but it’s also a great channel to subvert for disinformation.”
Disinformation has already harmed companies. In 2018, members of the beauty community revealed that influencers paid to promote a company’s products had been paid extra money to criticize competitors’ products. The Securities and Exchange Commission (SEC) has filed numerous charges against hedge funds and stock manipulators for taking short positions on particular firms and then spreading false information about the firm. In September 2018, for example, the SEC charged Lemelson Capital Management LLC and its principal, Gregory Lemelson, with such an attack against San Diego-based Ligand Pharmaceuticals.
At the RSA Conference in 2019, Cisco chief security and trust officer John N. Stewart warned that disinformation did not just matter to elections, but to businesses as well. “Disinformation is being used as a tool to influence people—and it’s working,” Stewart said.
Even true information, if put within a specific narrative, can harm companies as well. The portrayal of Kaspersky as a firm beholden to Russia and of Chinese technology giant Huawei as a national security risk has had significant impacts on both those companies.
So how can companies prevent disinformation from affecting them in 2020 and beyond? Experts point to three strategies.
(Continued on next page)
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio
