cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

Fake News should be treated as a Cyber Threat

Hi All

 

Should Fake News given its use as a preclude to an attack, rather like Sun Tzu principles - should it now be treated as an official cyber threat?

 

https://www.computerweekly.com/opinion/Its-time-to-accept-that-disinformation-is-a-cyber-security-is...

 

Happy New Year 2021

 

Regards

 

Caute_Caute

8 Replies
CISOScott
Community Champion

One of the problems is who is the judge of whether it is fake news or not?

I have learned (and struggled with this as a human) that there are often two sides to every story. And even those two sides have varying levels of truth, lies, personal agendas, and life experience filtering. And then you add in personal, political, religious, cultural, societal, etc., etc., and you come up with personal stories that may contain bits of truth and or facts. The person/agency/etc. who makes the judgment would have to be able to discern how much truth is real and not fake and then declare the item as such.

 

And what do you do when a conglomeration of people with like ideas or goals, purchases and owns a dominant portion of the media and can control the group think message going forward? How can you combat the "fake news" pushed out by them when they control the news? As an example, someone put together of collection of 24 local news outlet broadcasts across the USA. They started out with one group of news anchors speaking and adding more and more so it became a combination of all of the audio tracks. These supposedly "local" news stations were all pushing the same message, almost word for word. So it seems that they were directed by higher ups to repeat the company line and not to stray from it. So much for local objectivity. Rules made for the urban city do not always work in the rural country and vice versa.

 

When I look for news, I look for news items from both sides and use several websites, some that support my personal views and some that do not support my personal view. That way I can try to be as objective as I can and try to see the points of view from both sides. The problem I am seeing lately is that there is a move towards group think and less and less objectivity and questioning authority.

 

I remember in my younger days seeing a bumper sticker that read "Question Authority" and I thought that it had a tone of anarchy about it. Now that I am older I see the wisdom in questioning authority. It doesn't say resist authority or fight authority, it says to question authority. If we do not question authority from time to time it can lead to tyrannical rule.

 

In cyber security, I am seeing a new trend of, when a breach happens, to lawyer up first and then try to release what happens. I understand it from the fact that we have become a litigious society, but delaying the truth sometimes makes the disaster recovery worse. In cyber, we also have to deal with the fact that too early of a release of information can cause the bad actors to rush to implement the vulnerability before a fix can be released. So if you are seeing some "fake news" in regards to cyber security, there could be some reasons behind it. Vendors often rush in, usually motivated by the desire to sell a fix for the problem.

tmekelburg1
Community Champion

I would say it depends on your school of thought or the scope of Cyber/Information Security within the Enterprise. If your org. follows the CIA Triad then it's not within scope. If it aligns more to the Parkerian Hexad then it falls under authenticity and is within your scope. The link below is our previous conversation between the two models.

 

https://community.isc2.org/t5/Governance-Risk-Compliance/The-Parkerian-Hexad/m-p/40272#M161

 

If the message is part of the delivery package like the article references, I'd place that into Social Engineering. With Social Engineering we're trying to prove authenticity of the email, phone call, etc. If we're trying to prove if Tweets or posts are authentic with the information it's presenting, I wouldn't consider that within our scope. But I'm always open to changing my mind.  

 

CraginS
Defender I


@Caute_cautim wrote:

Hi All

 

Should Fake News given its use as a preclude to an attack, rather like Sun Tzu principles - should it now be treated as an official cyber threat?

...


I agree that fake news is, and should be treated as, a cyber threat. We are in the information business, not simply the digital business.

I disagree with @tmekelburg that fake news does not fit within the scope of the CIA framework, because the Integrity leg of the triad must deal with legitimacy, truthfulness, and accuracy of the information, not simply whether it has been modified improperly since initial creation. I appreciate the additional reference to the Parkerian Hexad, which is my favorite among all Cybersecurity frameworks. 

 

Relating to this discussion I recommend a recent paper co-authored by a personal friend and professional colleague, Dr. Char Sample, who has been researching and publishing on fake news for at least five years.

 

Interdisciplinary Lessons Learned While Researching Fake News

https://doi.org/10.3389/fpsyg.2020.537612

 

I particularly like how this new article brings out the interdisciplinary nature of cybersecurity as a blend of computer science, information science, and the social sciences. 

 

Happy new year!

 

Craig

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
tmekelburg1
Community Champion


@CraginS wrote:

Relating to this discussion I recommend a recent paper co-authored by a personal friend and professional colleague, Dr. Char Sample, who has been researching and publishing on fake news for at least five years.

 

Interdisciplinary Lessons Learned While Researching Fake News

https://doi.org/10.3389/fpsyg.2020.537612

 


Wow, great article! I'll have to read that over a few times to really soak in the content. Some questions that came to mind as I was reading:

 

  • How do we instill trust back into Journalism, e.g., trust in Fox, CNN, MSNBC, etc.?
    • AI or ML to initially catch the content and place a label on it saying it hasn't been verified yet?
    • Independent third party companies that label content as fact checked for accuracy or not yet fact checked?
    • Are these companies considered Journalism or Entertainment at this point?
  • Does this need to be built into School curriculum to spot Disinformation and Misinformation?

 

Images of planes dropping propaganda leaflets on small third world country villages came to mind as well...   

 

Really the only reason I didn't include the CIA model in scope for authenticity checking was because some definitions on integrity have authenticity worded into the definition and some don't.

rslade
Influencer II

> Caute_cautim (Community Champion) posted a new topic in Threats on 12-29-2020

> should it now be treated as an official cyber threat?

Ummmmm, I have one word for you.

"Integrity."

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
JavaScript is to Java as pain is to painting.
- (apologies to Eric Elliott, but you got it backwards ...)
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Startzc
Newcomer III

In addition to some of the good points made by others, it is also dangerous as a method for delivering malicious payloads. Just as people are finally starting to get the concept of not opening suspicious emails, along comes a new type of "spam" that is so precisely targeted to people's preconceived views that they will click anything.

 

I've gotten at least one spammed video link messaged from my own mother every month over the last 18 or so because she kept getting her Facebook account hacked by clicking on easily identifiable fake links for videos or stories. 

 

I'd be interested to see an estimate of how much bandwidth is wasted worldwide because of people sending, reading, or watching fake news stories and videos. Not that my kid doesn't waste her fair share watching other people open toys or play games she owns...but at least those wont cause her to walk into a pizza place with an AK-47 (I hope).

CISOScott
Community Champion

@Startzc THAT! That is one of my biggest pet peeves about all this "third-party" fact checking. They (FB,Twitter, and others) can't even keep the spammers and scammers off of their sites but they bring in these so-called outside, "unbiased" fact-checkers to "fact check" certain things?

 

No thank you. Clean up your house first of scammers and spammers, then let's talk about fact-checking!

 

Startzc
Newcomer III

The issue there isn't a "can't do it" it's that even those scammers and spammers count toward their advertising click dollars, so they don't want to get rid of them. At least not until they've had time to rack up enough activity to count for how they charge their advertising customers.