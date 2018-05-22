In information security, we have a concept called the C.I.A. No, not that CIA — it’s the information security triad of confidentiality, integrity and availability. Maintaining the confidentiality, integrity and availability of information is the guiding principle of information security — the mission statement of the entire industry.

We’re all quite familiar when elements of the C.I.A. mission fail. For example, the Equifax breach was a major failure in protecting the confidentiality of personal financial information. The Dyn DDoS attack, which knocked major sites like Twitter and Netflix offline for many hours, was a major failure of the mission to ensure the availability of information.

But what about integrity? When you ask traditional information security practitioners about what they imagine a major failure in the protection of the integrity of information might look like, they quote almost comically mundane examples, like the case of the student hacking into their school’s IT systems to change their grades, or some ridiculously contrived scenario that involves hacking into a medical record to change a blood type or medication dosage.

The reason integrity doesn’t quite bring to mind such obvious examples like the Equifax breach or the Dyn attack is that the idea of information integrity, unlike confidentiality or availability, isn’t binary. Integrity — defined as the overall completeness, accuracy or consistency of information — is a fuzzier standard than whether or not data is viewable by its intended recipient. Humans are notoriously bad at determining what’s actually true — we have entire constructs like the scientific method or the legal system that exist solely to elicit the truth, and even those fail quite often.

But I argue that the massive confluence of disinformation campaigns we experienced during the 2016 election is also an example of a major security incident — the Equifax of integrity, if you will. While the attack wasn’t particularly sophisticated from a technical perspective, especially when compared to highly technical “bugs” like Spectre or Meltdown, what we observed throughout 2016, 2017 and today is just as major a hack as the Equifax breach, the OPM breach or the NotPetya attack. In fact, I’d argue it has been one of the most effective hacks of all time.

While it may seem like arguing over semantics, treating disinformation as a security problem has significant — and useful — implications. Specifically, we can start to use all of the tools we’ve developed for information security to start tackling the issue.

For example, in information security, we have a concept called threat modeling, in which we create summaries of both hypothetical and observed personas and scenarios around attacks to a given system. The parallel disinformation campaigns experienced during the 2016 election cycle lend themselves well to threat modeling. There was a state-sponsored campaign run out of the Internet Research Agency in St. Petersburg (which, I should note, bled into other activities such as identity theft and bank fraud, as outlined by special counsel Robert Mueller’s recent indictment, further demonstrating the strong overlap with more traditional information security topics). There were affiliate marketing scams coming out of Macedonia that were entirely financially motivated.

And there was plenty of activity in-between, all of which became enough of a perfect storm of disinformation to affect the outcome of a U.S. presidential election.

We can start to see a spectrum of threat models emerge, from state-sponsored propaganda activity with strong political motivations to ad fraud schemes that are purely financially motivated. The advantages of creating such detailed threat models are two-fold: First, they inform us of where we can collect intelligence on these types of activities, from employing government resources to lurking on 4chan. This can help us get out ahead of campaigns and activities and avoid being duped.

But more importantly, threat modeling can help us illuminate effective interventions. For example, state-sponsored organizations use traditional media such as radio and television, which call for licensing and regulatory interventions, while troll armies use hate speech, abuse and harassment, indicating a need for stronger enforcement of those policies by the platforms. Large corporate-sponsored campaigns, such as the one we saw perpetrated by Cambridge Analytica, demonstrate the tactic of misusing microtargeted personal data and indicate that stronger privacy regulations like the General Data Protection Regulation could have a significant impact on countering disinformation. And affiliate marketing schemes that exploit hyper-partisan “junk news” content to drive clicks and sell ads reveal that ad tech companies need to do much more to ensure brand safety and enforce quality standards.

These are just a few examples of how, by treating disinformation as an attack on the integrity of data and applying information security principles to combatting it, we can quickly develop intelligence and, more importantly, identify effective interventions.

Source: Forbes