This article intends to share a reflection more than to provide answers, as it raises a number of interrogations any responsible of Information Security should ask himself in the short and long term.
Information Security is defined as a collection of processes and methodologies, designed and implemented to protect private information, sensitive or confidential, may they be digital, printed, or in any other form, against the unauthorized access of their use, misuse, divulgation, destruction, modification or damage.
Often, Information Security is identified with IT security, yet the last concerns only a part of the activities to be done, as the information travels through different means and not only through digital networks. The evaluation of the risk pending on information should not be based only on considerations of merely “IT type”, but has to be a process including the evaluation of places as well as persons too. This has been clearly demonstrated by Kevin D. Mitnick in his 2001 best-seller “The art of deception”, where he shows a series of cases where it is possible to recover useful information for one’s own goals, simply speaking with people and collecting parts of information which, once brought together, create a solid base of credentials enabling the access to further information. For this, in some realities, we use the term of “information protection”, exactly to indicate those processes and methodologies included within Information Security, but with a much wider perimeter in comparison to IT security.
In the biggest part of the cases, the protected informations are those of the company. Our attention is looking inwards: information on clients, contracts, strategies, and so on. The first question is then to define the perimeter of competency. Is it sufficient to monitor the use and the protection of the internal information? Probably not. To protect one’s own company, it is compulsory to also look outwards, to those threats which could anyway harm the reputation of our brand or of our business. Some examples to be used could be the phishing websites or the profiles of fake consultants pretending to belong to the company in order to steal information or credentials from the client. All the banking institutions do monitor the web to spot and block the phishing websites, i.e. they look outwards to the perimeter to block any toxic news for the company. But is it sufficient to monitor and to verify only the unauthorized use or the abuse of the trademark? Or do we have other aspects to take into consideration?
In the last years, the newspapers were flooded by articles, discussions and declarations on the “fake news” phenomenon, used for disinformation, mainly in the political field or for direct economic gains. As an example, the “endorsement” of Pope Francis of the candidate Donald Trump was shared and commented more than 960.000 times on Facebook. Who knows if this small element did have an influence on the candidate’s election or not?
It happened to all of us to see that a friend or a colleague was reporting to us fake news. Probably, we also were victims and unconscious transmitters of at least one fake news, read on social network, quickly, between a croissant bite and a coffee sip at the bar.
Disinformation can occur through an incomplete representation of the facts, a fake representation of the facts or a manipulated representation of the facts. The objective of the agent spreading the disinformation is to push the news as
far as possible on all communication means, driving the readers into a precise conviction.
Disinformation has a simple scope: to address the reader to a determinate position, may it be in favor or against an argument. It is created to generate a feeling of empathy or of repulsion. This feeling, sometimes, can lead to concrete actions such as protests, boycotts or manifestations.
If we stay focused on the last American elections, we can give as an example a soft drink case. On mid-November 2016, a blog of American conservatives reported an interview with the CEO of the society producing this soft drink, in which he would have declared (obviously at the conditional form): “CEO Tells Trump Supporters to Take Their Business Elsewhere”. The news was completely distorted both from its source and by who forwarded it, but its impact on the company seems to have been real, both in terms of appreciation of the company and in terms of value of its title on the stock exchange. The agreement ranking (sentiment) towards the company sunk by 35%. The title price, the same day of the “news” publication, sunk by 3,75% and by more than 5% in the range of the whole months. It is still possible that the two reactions could have been dissociated, yet it remains a very important study case for the analysts of brand reputation and communication.
Out of the electoral context, another case which made history was the one which concerned a pharma company we will name XY. In January 2012, an article appeared on Seeking Alpha, a finance-specialized website. It stated that the company XY, listed on Wall Street, was working on the development of a treatment against cancer, cheaper and more competitive than the ones of its concurrence. In five months, the company’s title totalized an increase of 263% of its value, maybe because of the publication of that news. The SEC (Security & Exchange Commission) discovered that in fact the article had been commissioned by the same pharma company XY, through an indirect payment. As a result, the stock exchange rate of the title sunk abruptly.
This technique, in the past, was known as “Pump & Dump”, which meant to “pump” the title value thanks to fake news leaving to understand that huge increases of the value will take place, and then “dumping” it once the desired value was reached. It is one example of financial fraud where the worse informed people pay the consequences.
Another case, in 2013, had a systemic impact. The Tweet published on the Associated Press (AP) account, stating that an attack took place at the White House and that President Obama was wounded, “burnt” more than 130 billion USD in the NY stock exchange, before it has made been public that the AP account had been hacked.
Let us suppose, hypothetically, that we are company Beta, desirable on the market as we are present in various geographic areas, we have consolidated infrastructures with solid trade deals and a monopolistic position on some markets. The title value is high and potential variations could be very costly to the actual stock-holders. If the Alpha company would be interested in the Beta one, wishing, with unfair means, to buy a part of my titles to have influence on my strategies or to consolidate its own presence inside Beta, could it use disinformation to lower the value of my title and buy more of them?
Disinformation activities can be on the short or long term. Probably, if we were speaking with an English CEO or with an Asiatic CEO, even their own conceptions of “short” and “long” terms would raise many questions.
- Option 1: If I was the Alpha company, I could publish from several sources a fake declaration of the Beta Company’s CEO, like in the case of the soft drink we quoted before. This initiative could lead to a lower value of the Beta company stock title. The Alpha company could then profit of the moment to buy a part of the titles for a ca. 5% cheaper price than the normal one, buying them indirectly and at different moments not to raise the attention.
- Option 2: If I was, again, the Alpha company, I could also publish information on the Beta company, similar to those we saw on the pharma company case. In this option, the objective would still be to buy titles, but through a process of discredit of the targeted company. Investors could lose their trust after reading fake news on the future winning strategies of the company, then denied, and hence make the speculation bubble explode. There are various controls of the vigilance commissions, but I bet that with due precautions and, if well planned, different modes to buy, even indirectly, titles, without being unveiled do exist, even more if they are backed by governments.
- Option 3: The disinformation activity could also be led on the long term, using fake profiles. Let us suppose we can dispose of a certain quantity of fake profiles on diverse social media and let us suppose that those fake profiles start to share poor information on the Beta company: service disruptions, mediocre quality of the products, untrusty employees, management scandals. Those fake news, as many little drops, would be massively reversed into an ocean of information, polluting it. This information quantity is hard to cream off. We can remember the sentiment analysis that could bring the fake news, sinking the trust on the products and hence their sales. The products sold on eCommerce websites do bear all the client’s “recensions”. So, we can defy anyone not to think twice before buying a product after reading two positive and one negative recension, or the way other. The negative recension will influence the reader’s psyche much more than the positive ones.
And if, instead of a company, it was a country? A country which could be, logistically speaking, a ramp for economic initiatives or for the transit of important international infrastructures. To discredit the country’s reliability as well as the one of its rulers could happen through disinformation campaigns on fiscal politics, low quality tourism, to put it shortly on all those indicators which could help destabilizing or impoverishing that country, allowing then a “sacking” of its resources or infrastructures. Its GDP would fall because of the lack of tourism revenues or of the internal investments into productive activities. The GDP fall leads to a fall of the tax incomes, which leads to a lack of covering the costs of infrastructure maintenance. But to cover this lack of covering and to maintain its infrastructure, the country is obliged either to sell a part (or all) of it or to take further debts. All that being, of course, a worked hypothesis.
The financial market is subject to key information it receives and tries to convert into value. We must also bear in mind the High Frequency Trading systems using mathematic algorithms; some of them already equipped with capacities of quantitative Big Data analysis and of news parsing system to monitor the news in real time and adjust the values of the transactions, taking into account other information than pure financial ones.
The presence of outnumbered information where reliability is not verified and whose source is not classified according to its own reliability can lead, in the future, to bigger and bigger distortions of the market, as well as politics of expansion – even geo-economical – through the use of information. The High Frequency Trading systems will be more powerful even and will be more and more confident on their own analysis and judgements made on Big Data. If we add that, in a nearby future,
even the individual investors will have a broadened possibility to invest with higher frequencies, we can only deduce that a correct use of information has become vital for the markets.
How to protect ourselves? This is the last interrogation we raise in our essay. Certainly, all actors should take part into the protection of the financial system. To blame and prosecute the publishers of “fake news” is an activity, by itself commendable, but which would request timeframes which are not in accordance with the markets’ volatility.
Certainly, it would be possible to impose some rules on the selection of the sources by the High Frequency Trading systems, through a reliability certification based on the reliability of the information issued by a source during the time. In this way, we could avoid running the risk of impacting with polluting sources but we would not solve the potential problems of compromised accounts such as in the Associated Press case.
From a company point of view, a fundamental rule is to “communicate first”. It is the basic rule to manage a crisis, but in a society so invaded by information, it must become a daily activity. In the book “Deception – Disinformazione e propaganda nelle moderne società di massa”, the author argues that “the speed is an essential element, because what matters is the first affirmation: all further denials have no efficacy”.
It is hence urgent that companies start to build structures able to monitor social media, to analyze information published there and to verify their potential impact on the company in order to make anticipated moves through press communiqués devoted to define clearly the position of the company. By monitoring the social media, we do not mean only the “classical social media”. The analysis must be led also on a multi-dimensional level, i.e. by verifying that there are no diverse ties leading back to the same nest, the very source of a disinformation attack.
We do not have to pursue the news to confine it, deny it or correct it. A badly dealt information can quickly transform into a Hydra of Lerna. A clear, official position of the company, well-structured and widely diffused, will rid stakeholders of doubts and uncertainties. In order to do this, we have to build a capillary commu nication system able to catch all the levels of stakeholders. The information must be simple, linear and easy to understand, with different levels of detail based on the needs of the stakeholders we want to reach: financial analysts, consumers’ associations, consumers, vigilance institutions and so on. In the information era, the very same information is the best weapon we can use.
Thus, the perimeter of the protection of the information, for the companies, could be widely broadened. This could ask for additional efforts and always more transversal competences, with quick-response teams delivering not only technical but also communication solutions, helping the press office and the communication office to lead information operations in order to contrast disinformation.
Massimo Cappelli
Massimo is Operations Planning Manager within the GCSEC. He coordinates, as PMO, research and education activities of the foundation. Since January 2017, he leads the CERT and Cyber Security of the Poste Italiane within the Information Protection Department. After economic studies, he obtained PhD in “Geoeconomics, Geopolitics and Geohistory of border regions” focus on Critical Infrastructure Protection Programme and a Master in “Intelligence and Security Studies”. In the previous experience, he assumed the role of Associate Expert in Risk Resilience and Assurance in Booz & Company and Booz Allen Hamilton.
