Arming CISOs With the Skills to Combat Disinformation

As if chief information security officers (CISOs) did not have enough to deal with, add one more issue to their plates: information warfare. These operations now target private and non-governmental entities almost as often as they involve world powers. That’s why it’s more important than ever to know the difference between misinformation and disinformation — and how to stop them both.

Information wars are old. They date back millennia, as does the strategy of deception in warfare. Despite the age and use of disinformation, we’ve seen a recent uptick in discussion on the subject. Run a small experiment: perform an internet search for material from before 2016 on the word “disinformation” and see how many fewer results there are than what you’d find today. You’ll find first-page results with publish dates spanning the 2010s. Go a couple of pages in and you may see references to books from the 80s and 90s. Search that term today, though, and it takes quite a few clicks to find something that wasn’t written in 2021.

Why the uptick? More information, for one. It does not matter if it is credible or not. It’s out there. The information age means almost anyone can become a publisher. Blogs are cheap to maintain, content creators are seeing returns on investments, advertisers are enjoying click-through revenue and social media is an amplifier. All these are good things. And they also come with noise.

Cutting Through the Noise

Two sets of ideas can help CISOs discover and limit information campaigns against their organization. And while these appear similar, they are distinctly different.

Misinformation Versus Disinformation

These are pretty easy to tell apart in simple terms but are also easily confused or used inappropriately. Misinformation is usually wrong information, that when released, at least at first, has benign intent. It’s possible you have said or have had said to you, “You have been misinformed”. CISOs need to watch out for intent. We’ll examine that in a bit more detail shortly.

On the other hand, disinformation is malicious by design. It may be a well-crafted lie, but lies have a way of falling apart, especially over time. The most insidious type of disinformation is the type seeded with ‘the kernel of truth’. The lie is built around something that is proven to be true, therefore giving the disinformation campaign an appearance of credibility.

A perfect example to illustrate this is the use of deepfakes. A deepfake of an influential person saying something ridiculous may be quickly proven to be a lie. The disinformation campaign unravels very quickly. But a deepfake that only makes minor changes to an otherwise true event can slip under the radar.

Information Superiority Versus Information Dominance

Of course, technology can help spot anomalies, but combating disinformation is only part science.  Plenty of art is involved, and that is where the second set of ideas comes into play: superiority and dominance.

Think of superiority as having more information, whereas dominance is being able to do more with the information you have, even if it is less in terms of quantity. You are being smarter about how you use it.

Building Confidence Into Your Assessment

Tying these two sets of ideas together is where CISOs can work some magic. The key is to establish confidence in your assessment. Let’s use an example to demonstrate how you can do this.

As a CISO, you may trust a vendor will provide timely threat intelligence reports and meet their service-level agreement requirements. You even have a great working relationship with them. But there is one problem: you do not have confidence in their work product, for whatever the reasons (dated, errors, etc.). Paradoxically though, it is unlikely you would trust a darknet persona, but what if this persona has produced high-quality information with consistency? In this case, you would have confidence in their product.

This is nuanced, so often gets missed. But it is vital to filter out misinformation and combat disinformation. So, how do you use the two sets of ideas above to build confidence?

First, develop a mechanism that allows you to spot the benign from the malicious. There is no one-size-fits-all approach here due to industry-specific language, and nobody knows your industry better than you. Look for nuances in language and information feeds. Spot qualifiers, usually a good tell that something may be off. In other words, focus on signal, not noise.

You see, by going through this exercise you use your industry-specific knowledge (dominance) to filter out the noise, which should lead you to intent: mistake or deliberate, or misinformation versus disinformation.

The next point is crucial. CISOs, slow down and take this saying to heart. Slow is smooth and smooth is fast.

How to Make Good Decisions In the Age of Disinformation

With data security budgets and cybersecurity staff hard to come by, burnt out or resigning, quality over quantity matters more than ever, especially as disinformation attacks can always have ulterior intents.

Always keep in mind, the purpose of a disinformation attack could be to send you astray. Those security operations center alerts or dark web chatter may be solely designed to get you to act, perhaps to force the activation of your crisis management plan. The threat may be a ruse so the actor can see what your response is, to study you and to prey on your emotions and use social engineering. That’s why you need to slow down, verify what you see, develop confidence and make good decisions based on that confidence. Otherwise, you may be walking into a trap. Or put another way: filter out the noise.

Let’s summarize. CISOs:

  1. Learn how to spot misinformation and disinformation. They are different and have different intentions that impact your response.

  2. Strive to be better, not have more. It’s no different than having too many technical tools. Tools need to be configured properly to have utility. Combating disinformation is no different.

  3. Slow down and manage your resources better. Develop confidence in assets of all types: people, technology, vendors and, of course, information.

  4. Be critical. Trusting a source has never been more difficult, meaning you have to develop some of your own capabilities. If you cannot verify information and sources on your own without a good degree of confidence or hard data, you may be going down a rabbit hole that you can’t come out of. Having a cautious and inquisitive approach to the information you are receiving is not a bad thing these days…

…and that even includes this article.

The post Arming CISOs With the Skills to Combat Disinformation appeared first on Security Intelligence.