Enterprise CISOs must consider disinformation and misinformation campaigns targeting their companies and industries as part of their threat model. Organizations must also develop disinformation response plans, similar to incident response actions.
Operational Resilience
Cyber Resilience
Risk Management

CISOs Urged to Prepare for Evolving Disinformation Tactics

George V. Hulme
/
Nov 21, 2024

While the voting in the 2024 U.S. presidential election is complete, experts warn that the risks of election-related disinformation campaigns will persist through Jan 6 when Congress ratifies the results. U.S. Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly told Reuters that the 2024 election faced an “unprecedented amount of disinformation” but no activity that could directly impact the results of the 2024 election. Still, there were numerous examples of election disinformation targeted at voters—and experts don’t see disinformation targeting enterprises going away any time soon.

Listen to this podcast on information warfare

Several such election-related fakes, including two prominent videos that falsely claimed to be from the FBI, emerged. These videos included false claims about terror threats at polling stations, voter fraud, and rigged inmate voting within Pennsylvania, Georgia, and Arizona prisons. On election day, hoax bomb threats were targeted at polling places within battleground states. The FBI determined the hoaxes originated in Russia.

According to CISA, there are three distinct types of information threats:

  • Misinformation: False, but not created or shared with the intention of causing harm.

  • Disinformation: Deliberately created to mislead, harm, or manipulate a person, social group, organization, or country.

  • Malinformation: Based on fact, but used out of context to mislead, harm, or manipulate.

Such information threats are a growing enterprise risk. 

“Corporate political statements and initiatives can make companies targets for hacktivism and disinformation campaigns,” says Michael Farnum, advisory CISO at technology services provider Trace3. “Those initiatives can also be used by groups that want to further their political cause through exaggerated messaging,” he says. 

“Corporations in some way affiliated with one side of the political spectrum have been targeted for a while,” adds Farnum. Corporations are also targeted for for-profit motives or to advance nation-state interests. One famous example occurred in 2018 when a forged U.S. Department of Defense memo stated that a large semiconductor’s plan to purchase another technology vendor had national security implications. The stock of both companies fell. 

Information Attack Threats and Mitigations

In her book Manipulated, Fortalice Solutions CEO Theresa Payton highlights several high-profile information attacks. For instance, in 2013, a fraudulent media release falsely stated that ANZ Bank had withdrawn a $1.2 billion loan facility from Whitehaven Coal. This misinformation quickly spread, leading to a sharp decline in Whitehaven Coal’s stock price. The company’s shares fell by almost 9% due to the hoax. More recently, Payton notes, opponents of vaccination have attacked doctors and healthcare organizations by posting fake negative reviews, undermining their credibility and patient trust.

The rise of AI-generated content is going to compound and accelerate these challenges. Security teams already report sophisticated spear-phishing campaigns that use deepfake videos of executives making controversial political statements designed to provoke emotional responses and bypass security awareness training.

CISOs need to consider ways to defend their organizations from such attacks. Experts agree that information attacks must be part of the CISO’s threat model, and include potential threat actors and their motives to launch information attacks, whether domestic politics, nation-state adversaries, or extortion. They also need a way to monitor conversations online in various forums and across social media to identify threats before they potentially strike. 

Disinformation Response Plans a Must for CISOs

That threat modeling and intelligence work must fit into a comprehensive disinformation response plan. Similar to incident response plans, organizations should include team roles and responsibilities clearly defined in the event of an information attack. Just as incident response plans must be tested, so must disinformation response plans be tested in tabletop exercises.

Payton says such preparation is key to an effective information attack response. Payton adds that the following key components of that plan should include:

  • Designated Reporting Channels: Have a single point of contact for reporting suspicious activity. This enables swift assessment of incoming reports and the ability to differentiate genuine threats from false alarms.

  • Crisis Communication Plan: Deploy a prepared crisis communication strategy to address public and internal concerns transparently, without exacerbating the spread of misinformation.

  • Continuous Monitoring: Keep monitoring the attack’s progress, sharing updates internally, and adapting the response as the situation evolves.

As part of this plan, to effectively mitigate information attacks, enterprises should also consider coordinating with industry partners to share resources and insights and building or maintaining relationships with external response teams for technical and press relations support. They should also connect with business partners and industry groups to prepare for an industry-wide response when appropriate.

“Setting up a global or industry-specific threat intelligence hub allows organizations to share insights and warnings instantly. This can function like a 'red phone' for direct, immediate communication."

—Theresa Payton

Payton says such collaboration, in the form of real-time sharing, is one of the most effective ways to manage active attacks through real-time threat sharing. 

“Setting up a global or industry-specific threat intelligence hub allows organizations to share insights and warnings instantly. This can function like a “red phone” for direct, immediate communication, facilitating collaboration between companies, government agencies, security experts, and even media outlets. Rapid information sharing is key to containing an attack’s impact and understanding the broader context,” she advises.

Farnum adds that enterprises should also consider implementing formal brand protection monitoring. “They should also watch their third-party relationships for partners who might be controversial. They don’t necessarily have to break the partnership, but staying aware and ready with a communication plan is smart,” he says.

Finally, enterprises must remain ready to change strategies as threat actor tactics will constantly evolve. “Regularly updating cybersecurity protocols, tools, and training based on the latest research and threat intelligence helps ensure that defenses are robust and up-to-date. Staying informed on emerging cyber manipulation techniques and incorporating continuous improvements in incident response helps organizations remain resilient in the face of new and unexpected challenges,” Payton advises.

Operational Resilience
Cyber Resilience
Risk Management
George V. Hulme

George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.

Stay in the know Get the Nexus Connect Newsletter
You might also like… Read more
Latest on Nexus Podcast