Cybersecurity focuses on protecting computer systems and digital infrastructure. At first thought, disinformation is not a cybersecurity threat: cyberattacks exploit vulnerabilities in computers, whereas disinformation exploits human vulnerabilities, cognitive biases and logical fallacies. Cyberattacks use malware, viruses, and trojans, whereas misinformation uses deep fakes, manipulated data and misappropriated information.
Yet, there is a lot of similarity in the tactics, techniques, and procedures of cybersecurity and disinformation attacks. Attackers often combine both techniques to achieve their goals, but historically the industry has tended to treat them separately, deploying different countermeasures.
On cognitive hacking:
- Cognitive hacking is the threat from misinformation and online propaganda.
- It exploits people’s inherent biases, which can result in them losing sight of what is real. The goal is to manipulate individual thoughts and behaviour.
- Cognitive hacking is not a new thing. But the advent of algorithmic social media means disinformation can spread rapidly, causing a tremendous and sustainable change in people’s perception of reality.
- Misinformation can lead to real-world harm: take, for instance, the rumours that spread on WhatsApp in India in 2017: kidnappers had apparently infiltrated villages to grab young children. It even included photos of a gruesome crime scene, which were actually taken of children in Syria who died in a chemical attack.
- There are similarities in the patterns of disinformation and cybercrime attacks. Hackers drown out the truth by inundating platforms with fake news, just as Distributed Denial of Service (DDoS) attacks overwhelm servers. And people are deploying disinformation campaigns that emotionally manipulate their targets - the same tactic used in phishing attacks.
Lessons from cybersecurity can help tackle disinformation:
- The world of cybersecurity has made great progress in safeguarding digital infrastructure against attacks. By treating misinformation as a cybersecurity issue, we can learn from decades of experience from cybersecurity experts to come up with countermeasures.
- Cybersecurity invested heavily in security best practices, developed rigorous frameworks, guidelines and standards, and focused on private-public collaboration. Including threat modelling and global knowledge databases of vulnerabilities and known bugs.
- But the response to misinformation is still developed in silos with little coordination, which is key to success.
- The response to disinformation should borrow from cybersecurity’s defence-in-depth strategy - wherein if one defensive element fails, another steps in as backup. In practice, this would mean a chain of human and AI monitors verifying authenticity and fact-checking, who can intervene before the fake news is posted or remove it after the fact.
- Education is also a prominent and impactful method of reducing cybersecurity risk, with employees and the public often trained to enhance awareness of threats such as phishing emails and malware. Similar efforts must be made to educate people on recognising disinformation.
Why does this matter for businesses?
- Just as businesses have well-defined strategies for dealing with cybercrime, they need to start writing the rulebook on responding to disinformation. Luckily, they can harness these tried-and-tested methods for minimising the damage from cybersecurity threats.