When it comes to misinformation, it's a Herculean task to rein it in once it's bounced around the internet, security experts argued at the RSA Conference this week.
"The overwhelming majority of people who are ever going to see a piece of misinformation on the internet are likely to see it before anybody has a chance to do anything about it," according to Yoel Roth, the former head of Trust and Safety at Twitter.
When he was at Twitter, Roth observed that over 90% of the impressions on posts were generated within the first three hours. That’s not much time for an intervention, which is why it's important for the cybersecurity community to develop content moderation technology that "can give truth time to wake up in the morning," he says.
"It's a hacking of people problem," lamented panel moderator Ted Schlein, chairman and general partner at Ballistic Ventures, a cybersecurity venture capital firm. "In my view, if we spend so much time, energy, and dollars fighting to protect our technology and our systems, shouldn't we be doing the same for people?"
The cybersecurity community should focus on creating ways to detect and shut down disinformation while mitigating its effects, Schlein argued. Presumably, this call to action includes targeting misinformation, which differs from disinformation as it relates to intent. (Misinformation is defined as "incorrect or misleading information," regardless of intent. Disinformation is a lie told deliberately to influence opinion or cover up a fact.)
Disinformation and Misinformation in the News
Here are some recent examples of disinformation campaigns and misinformation spreaders caught in the act:
- Medical professionals have been complaining for years about patients taking dangerous advice from "expert influencers" on platforms such as TikTok and YouTube.
- A Chinese disinformation operative exposed a plan to discourage Americans from voting by spreading lies online.
- Last year, climate change deniers found themselves de-platformed by Pinterest.
- Spotify darling Joe Rogan briefly found himself in hot water for airing conversations with COVID-19 deniers.
- Experts say the "playbook" for disseminating the kind of disinformation seen in the run-up to the 2016 general election in the United States is being exploited around the world.
- As PCMag's Chandra Steele writes, antisemitic conspiracy theorists are making their voices heard on Twitter, and the platform is failing to protect its users.
Can We Keep People From Social Media Lies?
Speaking of Twitter, Roth is very familiar with the company’s battles with misinformation. During the whirlwind of changes to the platform since Elon Musk was forced to buy it in 2022, Twitter abruptly dissolved its Trust and Safety Council in December, and Roth was reportedly compelled to go into hiding following an online smear campaign.
Roth began his part of the panel discussion by noting that it's natural for knowledge and perceived truths to change over time, and "something that is known to be true with absolute certainty one day could be known to be totally false another."
Roth cautioned that misinformation is not actually like malware because malware is software that has been designed to generate a specific outcome every time it runs. Disinformation doesn't guarantee the intended results. Effectively tackling misinformation and disinformation online will require dynamism and flexibility from cybersecurity developers, Roth said.
How to Protect Your Business From Disinformation
"Disinformation is fast, cheap, and easy to do," remarked Lisa Kaplan, CEO of cybersecurity firm Alethea, who spoke about how disinformation can affect corporate interests. Kaplan cited attacks from Chinese hacking groups on US-based businesses, a claim supported by the new National Cybersecurity Strategy introduced last month.
Kaplan advised organizations to keep their eyes peeled for potential disinformation threats in online public spaces and clear up any untruths before they can reach a wide audience. Kaplan also recommended that businesses use workforce training sessions to mitigate disinformation threats. She used anti-phishing workshops as an example of effective workforce training that could be reworked to shut down disinformation threats.
The 1st Amendment Says What?
Another panel participant was Catherine Gellis, an attorney and policy advocate, who noted that if you look at speech threats from a legal perspective, the US Constitution’s First Amendment protects some forms of disinformation or misinformation.
"Sometimes people are wrong," explained Gellis. "Wrongness happens, and if you had a law that was speaking to wrongness and forbidding it, you would have some chilling effects on people who are saying things they are right about."
The government shouldn't be the sole arbiter of truth regarding online speech, she said.
However, all is not lost, according to Gellis, who says the First Amendment also protects private corporations' rights to limit speech on their platforms. This means that a US-based social media company like, say, Twitter, can determine its version of "facts" and moderate users' posts accordingly. Gellis cited Section 230 and said it exists to allow websites to moderate user-generated content without the threat of legal liability.
3 Disinformation and Misinformation Discussion Points
The assembled panel did not present specific ways for the cybersecurity community to combat disinformation or misinformation online, but the panelists offered the following points for audience consideration:
- Roth advised that business leaders should consider company-wide approaches to combatting disinformation and misinformation because bad actors don't care about org charts. "It's always kids who do this stuff," remarked Roth, who referenced the “Great Hack of 2020,” in which a financially motivated spear-phishing attack on a low-level Twitter employee compromised the Twitter accounts of high-profile users such as former President Barack Obama, Bill Gates, and Elon Musk. Roth noted that in the case of these high-profile hacks, the perpetrators were attempting to run a crypto scam by spreading false messages to huge audiences. Still, the exposure could have allowed the perpetrators to spread far more dangerous messages.
- Kaplan emphasized that businesses should devise internal systems to communicate their truths swiftly with employees and stakeholders when targeted by a disinformation attack. She said that getting in front of their audience with clear statements tends to steer the interest away from false messages.
- Gellis stated that she does not think that some forms of legislation, such as Montana's TikTok ban, are a viable solution to combat misinformation or disinformation due to their overwhelming potential for government overreach.
For more RSAC 2023 coverage, check out PCMag's event hub.