Hi All
Should Fake News given its use as a preclude to an attack, rather like Sun Tzu principles - should it now be treated as an official cyber threat?
Happy New Year 2021
Regards
Caute_Caute
One of the problems is who is the judge of whether it is fake news or not?
I have learned (and struggled with this as a human) that there are often two sides to every story. And even those two sides have varying levels of truth, lies, personal agendas, and life experience filtering. And then you add in personal, political, religious, cultural, societal, etc., etc., and you come up with personal stories that may contain bits of truth and or facts. The person/agency/etc. who makes the judgment would have to be able to discern how much truth is real and not fake and then declare the item as such.
And what do you do when a conglomeration of people with like ideas or goals, purchases and owns a dominant portion of the media and can control the group think message going forward? How can you combat the "fake news" pushed out by them when they control the news? As an example, someone put together of collection of 24 local news outlet broadcasts across the USA. They started out with one group of news anchors speaking and adding more and more so it became a combination of all of the audio tracks. These supposedly "local" news stations were all pushing the same message, almost word for word. So it seems that they were directed by higher ups to repeat the company line and not to stray from it. So much for local objectivity. Rules made for the urban city do not always work in the rural country and vice versa.
When I look for news, I look for news items from both sides and use several websites, some that support my personal views and some that do not support my personal view. That way I can try to be as objective as I can and try to see the points of view from both sides. The problem I am seeing lately is that there is a move towards group think and less and less objectivity and questioning authority.
I remember in my younger days seeing a bumper sticker that read "Question Authority" and I thought that it had a tone of anarchy about it. Now that I am older I see the wisdom in questioning authority. It doesn't say resist authority or fight authority, it says to question authority. If we do not question authority from time to time it can lead to tyrannical rule.
In cyber security, I am seeing a new trend of, when a breach happens, to lawyer up first and then try to release what happens. I understand it from the fact that we have become a litigious society, but delaying the truth sometimes makes the disaster recovery worse. In cyber, we also have to deal with the fact that too early of a release of information can cause the bad actors to rush to implement the vulnerability before a fix can be released. So if you are seeing some "fake news" in regards to cyber security, there could be some reasons behind it. Vendors often rush in, usually motivated by the desire to sell a fix for the problem.
I would say it depends on your school of thought or the scope of Cyber/Information Security within the Enterprise. If your org. follows the CIA Triad then it's not within scope. If it aligns more to the Parkerian Hexad then it falls under authenticity and is within your scope. The link below is our previous conversation between the two models.
https://community.isc2.org/t5/Governance-Risk-Compliance/The-Parkerian-Hexad/m-p/40272#M161
If the message is part of the delivery package like the article references, I'd place that into Social Engineering. With Social Engineering we're trying to prove authenticity of the email, phone call, etc. If we're trying to prove if Tweets or posts are authentic with the information it's presenting, I wouldn't consider that within our scope. But I'm always open to changing my mind.
@Caute_cautim wrote:Hi All
Should Fake News given its use as a preclude to an attack, rather like Sun Tzu principles - should it now be treated as an official cyber threat?
...
I agree that fake news is, and should be treated as, a cyber threat. We are in the information business, not simply the digital business.
I disagree with @tmekelburg that fake news does not fit within the scope of the CIA framework, because the Integrity leg of the triad must deal with legitimacy, truthfulness, and accuracy of the information, not simply whether it has been modified improperly since initial creation. I appreciate the additional reference to the Parkerian Hexad, which is my favorite among all Cybersecurity frameworks.
Relating to this discussion I recommend a recent paper co-authored by a personal friend and professional colleague, Dr. Char Sample, who has been researching and publishing on fake news for at least five years.
Interdisciplinary Lessons Learned While Researching Fake News
https://doi.org/10.3389/fpsyg.2020.537612
I particularly like how this new article brings out the interdisciplinary nature of cybersecurity as a blend of computer science, information science, and the social sciences.
Happy new year!
Craig
@CraginS wrote:Relating to this discussion I recommend a recent paper co-authored by a personal friend and professional colleague, Dr. Char Sample, who has been researching and publishing on fake news for at least five years.
Interdisciplinary Lessons Learned While Researching Fake News
https://doi.org/10.3389/fpsyg.2020.537612
Wow, great article! I'll have to read that over a few times to really soak in the content. Some questions that came to mind as I was reading:
Images of planes dropping propaganda leaflets on small third world country villages came to mind as well...
Really the only reason I didn't include the CIA model in scope for authenticity checking was because some definitions on integrity have authenticity worded into the definition and some don't.
In addition to some of the good points made by others, it is also dangerous as a method for delivering malicious payloads. Just as people are finally starting to get the concept of not opening suspicious emails, along comes a new type of "spam" that is so precisely targeted to people's preconceived views that they will click anything.
I've gotten at least one spammed video link messaged from my own mother every month over the last 18 or so because she kept getting her Facebook account hacked by clicking on easily identifiable fake links for videos or stories.
I'd be interested to see an estimate of how much bandwidth is wasted worldwide because of people sending, reading, or watching fake news stories and videos. Not that my kid doesn't waste her fair share watching other people open toys or play games she owns...but at least those wont cause her to walk into a pizza place with an AK-47 (I hope).
@Startzc THAT! That is one of my biggest pet peeves about all this "third-party" fact checking. They (FB,Twitter, and others) can't even keep the spammers and scammers off of their sites but they bring in these so-called outside, "unbiased" fact-checkers to "fact check" certain things?
No thank you. Clean up your house first of scammers and spammers, then let's talk about fact-checking!
The issue there isn't a "can't do it" it's that even those scammers and spammers count toward their advertising click dollars, so they don't want to get rid of them. At least not until they've had time to rack up enough activity to count for how they charge their advertising customers.