The immediate implications of cleaning up a standard data breach are fairly pre-calculated. The next stage is troublesome and leads companies to throw money at sometimes futile PR campaigns.
How much simpler might it be if dis- or misinformation campaigns only targeted the extreme? Customers run the gamut from conspiracy theorist to bored homebodies scrolling the internet.
Regaining trust is equal parts PR and cybersecurity. "The players in an organization that are responsible are ambiguous, because everyone's responsible, yet no one's responsible," said Tom Gann, chief public policy officer at McAfee.
Cybersecurity has garnered greater authority in the enterprise as the weaponization of disinformation grows. Cybersecurity and disinformation are colliding in an information arena that's atypical to traditional cyberthreats.
Using "technical means, malware and traditional disinformation strategies, to achieve objectives is really one of the new battle landscapes that we see," said Gann."We absolutely see the manipulation of data. We see it in a number of domains and information warfare in cyber, and it tends to be unified today more and more as an overarching strategy."
Johns Hopkins defines disinformation as an effort to disseminate "deliberately false information"with the end goal of influencing policy. Misinformation isn't a deliberate practice; instead, misinformation spreads incorrect information, sometimes benignly.
Factoring dis- and misinformation into a threat model can allow a company to combat lies and protect its reputation. But disinformation doesn't come neatly packaged in a conspiracy theorist Facebook group. Sometimes it's hidden in a larger cybersecurity incident.
The European Medicines Agency (EMA) was subject to a cyberattack that resulted in a data breach in December. In January, the agency found "some of the correspondence has been manipulated by the perpetrators prior to publication in a way which could undermine trust in vaccines."
Consumers lose trust if unauthorized parties access data and repercussions are worse if data is changed. Ensuring the reliability of security safeguards is a short-term issue. Ongoing consumer skepticism will take longer to mitigate.
It's an "attempt to destabilize an entire construct through which doubt can be introduced."
Egon Rinderer
Global VP of technology and federal CTO at Tanium
If consumer trust is eroded, mending those relations is a less-predictable expense in an unknown timeline. Direct costs of a breach are about $900,000, including notifications, legalities and subsequent technological investments, according to Gartner. Indirect costs, which includes the price of damaged reputations, are less predictable.
In a typical breach, public sentiment toward a company decreases an average of 18% in the first day following a data breach, though in some incidents the decline is 36%, according to Gartner.
When stolen data is modified before it's posted, it usually means the hacker wanted to influence public opinion by corrupting factual integrity.
It's a mind game in chaos, said Greg Foss, senior threat researcher at VMware Carbon Black. "The path to such measures takes an intricate and interweaving pattern, affecting the mind and core institutions of the population at large."
Data breach with an asterisk
The threat model will evolve as the intent behind attacks are understood. The desire to manipulate data, in most cases, is to cause harm, according to Vera Zakem, senior technology and policy advisor at the Institute for Security and Technology.
Threat actors who alter the information they steal typically set out to do any of the following:
- Damage the reputation of the targeted organization or product
- Erode consumer trust
- Destabilize government programs
- Increase overall business risk
The "one thing that disinformation does, and what we have seen, is [it] decreases trust in the institution," said Zakem. It is the one constant of these information-based campaigns.
Traditional data breaches are often financially motivated to auction the stolen data or it's part of a greater cyber espionage campaign.
"It's important to preserve data in its original form and package it for sale via the dark web or alternative criminal marketplace," said Stephen Cavey, co-founder & chief evangelist of Ground Labs.
The "Operation get rich or die trying" by convicted felon Albert Gonzalez is a reflection of this type of transaction. Gonzalez sold authentic payment data because its original form is what created market value, said Cavey.
Cybercriminals will likely go the route of dark web marketplaces, whereas nation-state actors use cyber espionage for accessing proprietary data for economic or technological competition. Over the summer China-based hackers and Russia-based APT Cozy Bear were reportedly targeting vaccine developers globally.
Other cyber actors who might be interested in swaying public opinion are hacktivists, motivated by grudges or ideologies, said Cavey. Sometimes changes to data are so minimal, it slips by undetected. Those missed data changes could invalidate the perceived efficacy of a drug or whatever other information was compromised.
The risk of hacktivism is expected to increase by 44% over the next two years, according to ESI ThoughtLab report of more than 1,000 companies globally. More than one-third of CISOs expect hacktivists to contribute to the largest financial losses compared to other types of cyber criminals.
The EMA's investigation is ongoing and it hasn't publicly attributed the attack to anyone yet. The agency did not return multiple requests for comment by publication.
It's unknown if the EMA breach was caused by an organized crime group or by nation-state actors, said Zakem. In either case, the end goal was likely to dissuade the public from taking the vaccine, or at least Pfizer's vaccine.
"The implications are profound for consumers, citizens and organizations themselves."
Tom Gann
Chief public policy officer at McAfee
The EMA was an ideal target, she said. Though Pfizer or BioNTech were not compromised in the attack, the revisions to the data was an assault on the vaccine, its distributors and on the government agency.
"I see this as an attack on societal structure," said Egon Rinderer, global VP of technology and federal CTO at Tanium. It's an "attempt to destabilize an entire construct through which doubt can be introduced."
About half of organizations experience customer fallout and diminished brand value following a breach, according to Forbes Insights. Nearly one-fifth of organizations face the same reputational damage even if the breach was due to a third-party partner.
"In a situation that has this broad an impact, blame is cast in all directions. There's a demon behind every bush, so to speak," said Rinderer. "Politicians, drug companies, tech companies; they all receive their share of blame."
The EMA breach is reflective of failings within the agency but the implications cascades throughout organizations relying on it.
The pandemic already expanded the divide between conspiracies and reality. It created an information crisis sophisticated threat actors tend to thrive in. Consumer confidence has been declining since the onset of the pandemic, according to Forrester. They started to feel their circumstances were out of the control and impacted how they trust companies.
"The implications are profound for consumers, citizens and organizations themselves," said Gann. Depending on the adversary, hurting equity in the private sector is a component of desecrating Western ideals.
