Brands face a new online threat: Disinformation attacks
6 min read.Updated: 09 Oct 2020, 12:12 PM ISTRobert Mcmillan, The Wall Street Journal
For years cybersecurity has focused on technical problems, but social-media campaigns to spread bad information about companies is an emerging issue
An unscrupulous company uses Twitter bots to spread rumors that a competitor is sharing data with China. A short seller spreads lies about a company’s business practices in a conspiracy-minded online community to drive down the stock price. Both could cause harm, and both are examples of a new threat poised to hit businesses, cybersecurity experts say.
For years online security has focused on hard technical problems: Fixing software bugs or concealing data with cryptography. Today, a new front is emerging: Disinformation attacks. Once the near-exclusive provenance of nation-state attackers and activists, disinformation campaigns are starting to become a problem for corporations.
“Right now everybody is implicitly assuming that the only possible victim is an election," says David Perlman, a former Twitter Inc. data scientist who is now developing ways for corporations to counter disinformation at the computer security company Leviathan Security Group Inc. “There’s no reason that a company couldn’t be a victim," he says.
Disinformation is very similar to its sister term, misinformation: Both refer to false or misleading information. But with disinformation the bad information is spread with the intent to deceive.
Disinformation is the newest manifestation of the shady art of mental manipulation, which already has a history in the world of cybersecurity. First there were phishing attacks, where victims would get bogus email messages designed to trick them into divulging their online passwords or downloading malicious software. These early efforts evolved into more complicated “social engineering" techniques, where hackers first conduct background research and then call employees pretending to be co-workers, for example, and trick them into handing over data granting access to corporate networks.
A growing group of cybersecurity thinkers believes that disinformation is a new weapon in these psychologically driven attacks—one that will be used by cyberattackers too, perhaps for extortion, market manipulation or to damage the reputation of a rival company.
“In the last 10 years, the information age has really matured," says Marc Rogers, vice president of cybersecurity strategy with the security company Okta Inc. “Now for just a few thousand dollars you can invest in some infrastructure and you can launch a disinformation campaign that will bring a country the size of America to its knees. That’s an unprecedented impact in terms of asymmetric warfare."
Pablo Breuer, a former Navy officer, was a mission director at the National Security Agency in the early 2000s when a series of global computer worms served as a wake-up call to corporations about the importance of cybersecurity. He thinks that companies are on the verge of a similar awakening—this time on the disinformation threat.
Though hackers and nation-states have created disinformation campaigns to sway public opinion around issues, such as the 2016 election and the origins of the novel coronavirus, there is no clear evidence that they have targeted companies with similar campaigns. Still, potential threats are myriad, cybersecurity experts say.
With few legal restrictions on spreading disinformation and the wide-open nature of social media platforms, these experts worry that adversaries may resort to extreme tactics, such as deepfakes—video, audio and photographs doctored using advanced techniques.
This kind of problem is already starting to pop up, although the motivations for the attacks remain murky. So far, they don’t appear to be criminally motivated.
Earlier this year, protesters in the U.K. began threatening wireless company employees and destroying mobile wireless transmitters, fueled by conspiracy theories spread on social media that linked Covid-19 to 5G wireless networks. One employee of BT Group PLC, a telecommunications provider that is building a 5G network in the U.K., had to be hospitalized after being stabbed. The mobile industry is working with social media platforms to remove the misinformation and harmful content, says a BT spokesman.
In July, false rumors started spreading on Twitter and Instagram that the online home-goods retailer Wayfair Inc. was engaging in child sexual exploitation through high-price, industrial-grade cabinets with girls’ names. A Wayfair spokeswoman says that the company acted quickly to debunk the claims and remove the listings of the cabinets in question, but months later, the conspiracy theory continues to generate posts on social media.
The origin of the Wayfair incident—whether part of a strategic campaign to damage the company’s brand or an instance of rumors run amok—is unclear. It is possible, Mr. Perlman and Mr. Breuer say, that it was a test run for future attacks. The point is that in the age of social media, hackers, competitors and other bad actors have a new tool to wreak havoc online, without ever needing the technical prowess to break into corporate networks.
Companies are going to need to take even more aggressive steps, such as monitoring social media for disinformation and deepfakes, so that they are aware of potential problems before issues go viral. While research is in its early days, they call defenses against these attacks “cognitive security" or “misinfosec."
Companies including Reston, Va.’s Mandiant, New York’s Grahika Inc. and Washington, D.C.-based Alethea Group specialize in providing early warnings and analysis of online disinformation, helping their clients get a clear picture of online discussions and how to respond to them. Are they dealing with a grass-roots boycott or something more sinister, like disinformation? Is the behavior coordinated? Is a foreign entity behind it? Is the information reaching their customers or not?
Mr. Perlman believes that social media companies such as his former employer, Twitter, could one day sell these types of services too.
Social-media companies are accustomed to blocking spam or banning users for inappropriate content, but they have been caught flat-footed by widespread efforts to manipulate the platform with conspiracy-minded content that doesn’t look like spam, Mr. Perlman says.
A Twitter spokeswoman says the company aims to “limit the spread of potentially harmful and misleading content."
Corporations can’t simply wait for social-media companies to act and must develop a playbook for thwarting weaponized disinformation, data scientists say.
Businesses will need to do more in the age of disinformation warfare. They will need to be more transparent in disclosing information that could be weaponized—listing political donations, for example, Mr. Breuer says. Disinformation attacks begin with a kernel of truth (a company donated to a particular candidate) but spin that information to come to a false conclusion (the donation was payback for a political favor). Self-disclosure could help stop disinformation before it spins out of control.
Cyber teams will need to team up with communications departments to run exercises where disinformation campaigns are detected and debunked.
To fight back against deepfakes, a defender could seed the internet with intentionally fake photographs of himself, so that the authenticity of any new photographs would immediately be called into question, Mr. Perlman says. It is an extreme measure, but it could minimize the impact of further deepfake releases, he says.
Another extreme measure: A company might fight disinformation with disinformation by introducing divisive messages that split up or distract the people who have embraced the initial disinformation. The company could release words and images about a benign target, such as a fictional corporation, foreign country or nonexistent location, to redirect the online mob.
“If there are no police, and you are living in the Wild West, then you have to arm yourself," Mr. Perlman says.
Write to Robert McMillan at Robert.Mcmillan@wsj.com