Disinformation is undoubtedly on more people’s radars – Federal IT pros included – heading into 2021 and beyond. But just because we know more about it doesn’t mean we are better prepared to face the challenge that disinformation is posing.
With a normal cyber attack, the government is often targeted directly. Disinformation is different. Instead of attacking core infrastructure, bad actors or nation states attack the population by attempting to skew their beliefs.
Disinformation, a form of misinformation that is created specifically to manipulate or mislead people, is becoming more prevalent – in part because it’s easy to create and disperse. The tools behind deepfakes and malicious bots have been democratized, creation can now be automated, and disinformation-as-a-service has emerged. The Kremlin-backed Internet Research Agency, often referred to as a “troll farm,” sows disinformation everywhere – as do many nation states and domestic organizations.
From an agency perspective, the threat of disinformation has two key components. Nation states and bad actors are using disinformation to discredit agencies and target government employees. While Federal CIOs cannot tackle this problem alone, they can take some steps to mitigate the risk these threats pose. Let’s take a closer look at each component, and what Federal IT pros can do about it.
Retaining Agency Credibility
Nation states and bad actors can harm an agency without targeting them directly utilizing a cyber attack. They could, for instance, impact the number of coronavirus vaccines administered by the Department of Veteran Affairs by using disinformation to sow distrust about vaccine effectiveness or safety among veterans. While Federal agencies cannot control the media or its message, they can run awareness campaigns to counter the threat of disinformation, while also creating certified FAQs and resource pages for constituents.
DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has already been implementing this strategy, as seen with its disinformation toolkit specific to COVID-19. Along with other approaches, the toolkit highlights the most reliable sources for pandemic-related information. In 2019, CISA also released an evergreen infographic demonstrating how foreign influences stoke division between Americans through information campaigns.
While Federal CIOs alone cannot regain control of information in the internet age, agencies can consistently remind people that they represent a reputable source – and can be diligent in only driving constituents to other reputable sources. Agencies may even look to more traditional efforts, like marketing, in order to disseminate verified information to their constituents. Although this represents just one step of many needed to curb the threat of disinformation, it will help offset bad actors’ attempts to discredit agencies.
Educating and Protecting Employees
Disinformation can also lead to insider threats. Social media and other sources of inaccurate information can radicalize employees, who may then feel compelled to steal sensitive data or IP. Just as disinformation is now for sale, insider-threat-as-a-service exists as well. While bad actors and nation states formerly attempted to bribe and extort their way to sensitive information, they can now either serve disinformation to existing employees, or ultimately become employees themselves.
To prepare for the former, agencies need to implement more education and disinformation training programs. Just as employees must complete training related to IT and HR, they should be required to take classes on recognizing disinformation. They should understand the techniques and procedures nation states will leverage to skew the public’s common belief system and know how to validate news sources. Employees need to be trained on the use of verifiable information fused with false information to alter narratives and discredit reliable sources. While IT pros may feel like such education is beyond their purview, it relates directly to insider threats. By helping employees validate sources, you’re actually protecting your data in the long run.
Additionally, in order to combat both types of insider threat, Federal agencies must be adept at continuous monitoring of user behavior. By having a baseline of normal user behavior, agencies will be able to determine if a radicalized employee is attempting to hoard data or access restricted information. The same can be said for someone who joined an agency with malicious intent in mind. There is simply no way to completely eliminate the threat of disinformation and malicious insiders. Thus, Federal IT pros must put behavioral analytics in place so they can quickly identify and respond to potentially dangerous user behavior.
Sowing Chaos and Confusion
In addition to the two key components previously mentioned, there is another role for the Federal government that may assist in limiting disinformation efforts. While not applicable to most agencies, a concerted effort to discredit foreign influencers may play a role in limiting their effectiveness.
Often times, nation states leverage third parties such as organized crime in their efforts to sow confusion. If the U.S. government were to respond to disinformation campaigns with equal efforts against the parties launching them, confidence in those parties may raise questions and limit nation states’ confidence in using these resources. In other words, if organized crime is sowing disinformation on behalf of a nation state, then a carefully orchestrated effort discrediting them in the eyes of the sponsoring nation may limit their effectiveness and ability to operate offensively. This would have the effect of lowering incentives to create these campaigns.
The Bottom Line
The tough reality is that, in an age of social media, there is no silver bullet to combat this real and growing threat. Everyone must be diligent about questioning what they see online, as opposed to simply taking it at face value and internalizing it as facts. Still, Federal IT pros should be most concerned about disinformation undermining their own credibility – and potentially turning their own employees against them.
Awareness is crucial to combating disinformation on both fronts, but it should be supplemented by behavioral analytics. Federal IT pros should proceed as if disinformation is already impacting both their employees and constituents – because it is. This is an all-hands-on-deck issue, but there are many ways to begin combating the threat of disinformation today.