Misinformation and cyber security incidents have become the main scourges of the modern digital age. Rarely does a day go by without significant news of a damaging disinformation threat, ransomware attack, or other malicious cyber incident.
As both types of threats increase and frequently appear simultaneously in the campaigns of threat actors, the lines between the two become blurred. At this year’s RSA conference, information security experts appeared on a panel titled “Disinformation Is the New Malware” to mark the distinctions.
Panel moderator Ted Schlein, president and general partner of Ballistic Venture and general partner of Kleiner Perkins, opened the session by telling the panelists, “I suggested to you that disinformation is just the newest form of malware. I would argue that the disinformation. it’s much more dangerous to corporations, society, and individuals. And with disinformation, you’re literally being tricked into downloading the exploit directly into your brain, and it doesn’t actually require network intrusions.”
Yoel Roth, Twitter’s former head of trust and security and now UC Berkeley’s technology policy fellow, highlighted the close and parallel relationship between malware and disinformation, noting that they often go hand in hand . “Disinformation has been a facet of human communication forever,” he said. “Where it gets worse is that some of this malicious content is also amplified through malicious behavior, people deploying technology to try to spread inauthentic messages that could cause harm.”
Misinformation can be just as insidious as malware
“When we were thinking about the risks of Twitter being targeted by, say, the Russian government, we always had to recognize that there would be attempts to break into Twitter’s systems and target the company and exfiltrate user data,” Roth said. “There would be attempts to influence the conversations that take place on the platforms, and there would be attempts to compromise Twitter users’ accounts. There were multiple layers to each of these things. And Twitter as a company had a role to play to address this. conduct at each of these levels.”
Roth pointed to the “big Twitter hack of 2020,” when financially motivated twenty-somethings compromised a Twitter employee’s account to promote a crypto scam on high-profile accounts. This incident is an example of what he called the “illusory distinction” between malware and disinformation. “This was targeting Twitter employees to access Twitter’s back-end systems to conduct malicious activities propagated across the social network. You can’t think of these issues in isolation,” Roth said.
“When it comes to disinformation, it’s just as insidious as malware, but it’s different in the sense that it all happens out in the open,” said Lisa Kaplan, CEO of Alethea. “So you can catch him early before he starts having [an] impact” before, say, an organization’s stock price starts to fall. “I think there’s a lot of opportunity for organizations to proactively mitigate these types of scenarios.”
Apart from being prepared, there isn’t much organizations can do to stop misinformation, which is why some have called for the government to take action. “The problem with this kind of solution in the US is the First Amendment,” said Cathy Gellis, an Internet lawyer and policy advocate. “Shouldn’t there be a law to say no to the bad things that are going on? But that’s when the First Amendment comes in because a lot of the things that you might want the law to say no to are not things that the law can dir. not because the First Amendment protects expressive rights,” Gellis said.
Although problematic, disinformation is not malware
Some cyber threat defense professionals believe that fighting malware and disinformation, while crucial, are two distinctly different efforts. However, cybersecurity professionals need to be aware of how disinformation works.
Debora Plunkett, former director of the National Security Agency’s (NSA) Information Assurance Directorate (IAD), played a role in Harvard’s Belfer Center’s Defending Digital Democracy project. She tells CSO that disinformation, by definition, is not malware. “Now if we mean if it’s like malware where the malware is destructive or designed to be destructive, designed to disrupt, designed to damage, designed in many cases to gain unauthorized access or to cause someone think something that isn’t, then I might get there.”
Describing herself as a purist, Plunkett says: “Just the premise that disinformation is the new malware, I don’t agree with that. I don’t agree with that because whenever we talk that way, so and so is the new so-and-so. So we’re saying the first is no longer a problem because we have this new problem here. And that’s far from the truth. Both are important.”
“There are some similarities between disinformation and malware,” Ashish Jaiman, Microsoft’s director of product management at Bing Multimedia, who was technical director of Microsoft’s Defending Democracy program, tells CSO. “Some of the cyber security campaigns are done through social engineering, and phishing is one of them, but there are other similar ways that disinformation is spread. So the difference between them is that cyber security is essentially binary. People understand what cybersecurity is. act from an engineering or organizational perspective.”
Misinformation is darker. “What is true and false in an information campaign is different than what is true and false in a cybersecurity campaign,” says Jaiman. “It’s very difficult for a technology or cybersecurity expert to understand this.”
Still, organizations can use cybersecurity skills and techniques in the information defense domain. “We’ve spent a lot of time building our tools to use technology like AI to stop an attack before it starts to spread,” says Jaiman. “So even if it does happen, we’ve spent a lot of time teaching people to identify or at least be aware of this type of attack.”
One tool that organizations can take from cybersecurity to deal with misinformation is signal sharing, which Jaiman says cybersecurity professionals already do in relation to child exploitation and abuse scenarios. “On a macro level, if you think about it, creating that kind of signal and removing it
it’s similar to what we do with phishing, where we share signals about cybersecurity, remove content and other things.”
Integrated solutions and awareness of misinformation are needed
Even if disinformation is not malware, the two diseases often align, requiring cyber security professionals to be aware of disinformation threats and an integrated approach across organizations. “If you’re planning an adversarial response and defense around the way your organization is set up and the distinctions between your communications people and your trust and security people and your security people, you’ve already failed” , Roth said.
Plunkett believes that cybersecurity personnel should not be forced to take up the banner of disinformation because it requires deep knowledge of any subject at hand. But, “I think people responsible for traditional malware and cybersecurity certainly need to be aware,” he says. “It’s additional information that you absolutely should know about and that you should be aware that could exist and could be used to help the cybersecurity problem you’re working on.”
Kaplan said disinformation is a “distributed risk,” requiring a broader organizational approach. “We often see that communications and security will work together because of this. Often there’s legal and government affairs in the room as well. That tends to be the right mix. There’s a whole host of different components to the org charts that are so important to the ‘adversary. few of which are responsible for actually responding to an incident.”
Copyright © 2023 IDG Communications, Inc.
Misinformation is a growing concern in the digital age, and the latest evolution of it is quickly becoming known as the “newest malware”. While most people are familiar with malicious software (malware) that exploits their devices, misinformation can be just as dangerous in its own way.
Ikaroa is in the business of full stack tech, helping companies and individuals protect against malicious malware and other cyber attacks. With the increasing threat of misinformation, Ikaroa also recommends clients take measures to protect themselves. While avoiding harmful software is possible through anti-virus protection, identifying and stopping fake news is more difficult because it does not always have malicious intent.
We need to make sure that we are equipped to handle this information warfare in the digital world. We need to become aware of the misinformation that is targeting us from different sources, and be able to filter out the facts from the fiction. Employing simple tactics such as double checking sources and looking for dissenting opinions can be helpful in this process. We should also look to respected organizations, like Ikaroa, that can help keep us informed on cyber threats and disinformation.
Misinformation can be difficult to spot and counter, which is why it’s important to stay up to date on the latest threats. With the help of full stack tech methods like those employed by Ikaroa, businesses and users can stay ahead of the curve by monitoring digital threat vectors and taking steps to mitigate risk. We must all work together to close the door on misinformation and create a secure digital world.