Live From RSAC: Disinformation: As Dangerous as Cyber and Physical Threats

In today’s digital world, we practically live on our phones or computers. Chances are, you don’t go more than 15 minutes without checking your email or social media. And you probably get most of your news from the Internet.

But how do you know what information is real? Two different news sites might be giving a different opinion of the same story. Take the presidential election, for example. There was a frenzy of fake news trying to sway voters in one direction or the other. Covid-19 also brought about a fair share of conspiracy theories and misinformation – like the Covid-19 vaccine microchip theory. These theories and propaganda were planted by threat actors to stir chaos and instill fear or doubt.

In an RSA Conference fireside chat this week, Chris Krebs, former director of the U.S. Cybersecurity and Infrastructure Security Agency and co-founder of Krebs Stamos Group, and Alan Shimel, CEO of MediaOps, explained how to weed through disinformation, what threats fake news pose to cybersecurity teams, and what we can do to help.

As Krebs says, “I’m leading a commission at the Aspen Institute on the information disorder and there are no silver bullets right now for stopping, for halting, for changing the ecosystem. Whatever the solutions are – now or in the future – it’s going to take the whole of society, like government, industry, civil society … it’s going to take a full effort.”

How do you build your information ecosystem?

It’s challenging to figure out what information to believe when there are so many news outlets. And people tend to be more attracted to drama or stories that align with their views, even if the information is not accurate. Real news is “boring” as Krebs says, and fake news is more appealing.

Unfortunately, there is no central source of truth at the moment, so there is no way to say what information is accurate or not. We need to fix this.

How do we counter disinformation? 

Krebs and Shimel discussed the idea of creating one source of truth. Whether it’s at a company, or in government, you need one central repository with the facts.

Take Germany for example. Germany has a monoculture of news that gives them the advantage of one source of “truth.” There is one source where you can get your news, and there is no commentary. That doesn’t mean that they don’t still deal with some disinformation, but it’s a lot less than in the United States.

How do you deal with disinformation in cybersecurity?

Disinformation attacks are when threat actors manipulate information to cause unrest. Software companies that work with the government deal with disinformation attacks all the time. For example, threat actors changing the outcome of an election.

The new executive order should help with some of these attacks, but it still doesn’t solve the problem. The government needs more information, especially regarding ransomware. But what companies want to disclose their security problems? And it’s not as if the government can help them with security. Krebs and Shimel noted that we need to incentivize organizations, and we need to make it easy and convenient to report security defects and breaches.

Organizations should also be conducting an analysis of their systems to keep an eye out for potential attacks, and should consider hiring a senior executive to concentrate solely on countering disinformation. Since the world is becoming increasingly digital, this role is more important than ever.

For more on the cybersecurity executive order, and other RSA Conference 2021 sessions, check the Veracode Blog.