The internet, as life-changing as it can be for digitising businesses, connecting communities and informing individuals, doesn’t come with a user guide to help us navigate it. And as people become more aware of the dark side of the web, they are looking for tools that help to defend them against campaigns designed to manipulate how they think or behave.
Misinformation and disinformation are rife, but so far it’s been seen as a challenge for policy-makers and big tech, including social media platforms. However, because disinformation is by nature an online risk, it is a challenge for our cyber security ecosystem to tackle, too.
But tackling the manipulation of truth is no easy task. The sheer volume of data being created makes it hard to tell what’s real and what’s not. From destroying 5G towers to conspiracies like QAnon and unfounded concern about election fraud, distrust is becoming the default – and this can have incredibly damaging effects on society.
Disinformation and fake news is also part of the delivery package, rather than being the end goal – it is increasingly being used to deliver malware by manipulating people’s fears and heightened emotions. For example, Avast has found that fake shops claiming to sell Covid-19 cures that use the World Health Organization’s logo were intended to get people to download malware.
So far, the tech sector – primarily social media companies, given that their platforms enable fake news to spread exponentially – have tried to implement some measures, with varying levels of success. For example, WhatsApp has placed a stricter limit on its message-forwarding capability and Twitter has begun to flag misleading posts.
Despite these efforts, reports stressing concerns about the issue from intelligence services and independent committees are being overlooked, while policies can’t be put in place fast enough to keep up with the ever-changing ways that fake news spreads. But it’s not just an issue of having more laws – in fact, too much regulation in some cases can be used as a guise for clamping down on free speech. We should be very wary of overusing it as a tool.
We are also seeing the rise of tech startups that are exploring ways to detect and stem the flow of disinformation, such Right of Reply, Astroscreen and Logically. These companies don’t tend to refer to themselves as cyber security companies, but you can argue that this is, in effect, what they are.
It’s a question of definitions: if we agree that cyber security isn’t just about data breaches but data integrity, then it’s clear that these companies come under the umbrella of security.
More than that, disinformation has the potential to undermine national security – and it should be at the core of our cyber defences.
However, the cyber security innovation ecosystem as a whole has been under-utilised and under-motivated to play a role in this landscape. Plenty of spinouts and startups have the tools to combat disinformation and take on botnets, such as automated threat detection, but don’t regard stemming the flow of disinformation to be in their domain.
This will change as businesses increasingly become the target of disinformation, which will create more market demand among IT teams. We are seeing cyber espionage techniques such as creating fake news to hold influential members of a competitor company ransom or damage the reputation of a brand, and this will shift our perception of the challenge as it becomes more rife in the corporate world.
Data breaches result in the loss of value, but so can data manipulation. This reflects the changing nature of cyber security at large – it’s now more about protecting an enterprise’s values, brand and reputation rather than just a network security issue.
Disinformation is still an emerging frontier for cyber security, and we will need unconventional techniques far beyond data breach notifications and regulatory fines. New alliances and partnerships must emerge between industry and government. More than that, our fundamental assumptions of what a cyber attack looks like must also evolve.
But the first step is recognising it as a new type of online risk where effective cyber security is part of the solution.