- Security TWENTY
- Women in Security
Whatever we talk about, we should be careful how we define it, and that’s even more true of ‘fake news’, writes Mark Rowe. For the security manager, does ‘fake news’ boil down to just yet another IT security issue? he asks.
When President Trump (indeed the ‘real Donald Trump’) uses the term ‘Fake News Media’ on Twitter, he shows a worrying lack of exactness; he really means (in his opinion) ‘biased news’ from such outlets as (as he types it) ‘The Failing New York Times’.
As Donald Trump tweeted on December 30: “I use Social Media not because I like to, but because it is the only way to fight a VERY dishonest and unfair “press,” now often referred to as Fake News Media. Phony and non-existent “sources” are being used more often than ever.” He complained that many stories and reports were ‘pure fiction!’.
Fake news is, either, a piece of news that purports to be a news item from a genuine news organisation, but in fact comes from someone or somewhere else, deceitfully; or it is carried by a reputable news provider, but the content is not accurate. Such as, a report that company X is about to report a profit warning; or the company’s chief executive has been in a road accident, or is under investigation for an unspecified irregularity.
As President Trump hinted in that tweet, such scurrilous tittle-tattle has always been around; except that, thanks to email and social media what was last century the stuff of gossipy stock exchanges and private clubs and posted letters and maybe graffiti and bill posters is now around the world electronically in seconds, to be acted on by rivals, traders and ‘friends’. If it affects a share price, even by a small fraction, that can for the largest corporations be big money, or enough money to represent a risk to be worth mitigating.
Where the security manager comes in is if that corporation requires board members to have personal security at all times, and thus to be accounted for, because if one of the company’s key executives is absent or uncontactable, not even because of being kidnapped or a victim of a travel accident but by not picking up the phone, that can trigger a market reaction.
It’s a matter of communication, and a far cry from the times, well within living memory still, when business people and everyone else had at best telephones or ticker-tape machines for instant communication, and when fax machines felt like a genuine innovation. It meant that people – whether sales guys staffing a stand at a trade show or execs travelling abroad for business or pleasure – when away from the office were out of touch; which didn’t matter if everyone else was, too. The pace of business and life was far slower; business done by letter could be answered in so many working days; now you can offend if you don’t reply to an email within the hour. Hence being out of contaact can trigger a wrong.
As an example of that past era; when England played South Africa at cricket in Leeds in 1935, an England player was unfit at the last minute and a local, Yorkshire player had to be found to make the eleven at the last minute. A man carrying a blackboard with a message walked around the Headingley ground; the wanted player, Arthur Mitchell, was tracked down to his garden thanks to a personal visit. Now, to not be connected, to not keep in touch with the news (in case your number comes up) is out of the ordinary and can be held against you by an employer.
As it’s a matter of communication, what is the method of communication? The same IT that is being hacked and its data stolen or (arguably even more sinister) tampered with. For a piece of fake news to be effective has to be plausible, meaning the fake news-writer also has to be a data-gatherer; to get, most obviously, the name and title of the exec correct. Some things can hardly be kept confidential – and indeed may have to be made public to meet company law – and are easier to trawl for on the internet than when company contacts could be kept on paper and in locked filing cabinets. Nor does a piece of ‘fake news’ have to be the traditional TV or newspaper report. If you’re an exec who has waved your child off to an airport to a new boarding school and you get a message to say they’ve been kidnapped on the way, how can you tell that it’s fake, a bluff? By ringing the child. But if their phone is not switched on or if there is not a tracking app installed, can you be sure that the threat is fake? Such is virtual kidnapping.
Another clue that fake news for corporates is an IT security issue is the sort of people who are carrying out fake news: nation states seeking to destabilise other countries, hackers, whether lone actors or organised, seeking to carry out crimes, such as fraud or extortion. Whoever’s starting it, what they want is to have their stories turned into conversations. According to a report by Cardiff University the systematic use of fake social media accounts, linked to Russia, amplified the public impacts of the four terrorist attacks in the UK in 2017 – at Westminster Bridge, Manchester Arena, London Bridge and Finsbury Park.
Analysing 30 million datapoints from various social media platforms, the researchers found that at least 47 accounts were used to influence and interfere with public debate after all four. Of these, eight accounts were especially active, posting at least 475 Twitter messages across the four attacks, which were reposted in excess of 153,000 times. Cardiff’s Crime and Security Research Institute points to the use of these accounts as ‘sock puppets’ – where interventions were made on both sides of polarised debates, amplifying their message and ramping up the level of discord and disagreement within public online debate.
Prof Martin Innes, director of the institute said: “Terrorist violence is fundamentally designed to terrorise, mobilise and polarise its audiences. The evidence suggests a systematic strategic political communications campaign being directed at the UK designed to amplify the public harms of terrorist attacks…”
The research was funded by the UK’s Centre for Research and Evidence on Security Threats (CREST) and is free to download on the CREST website.
Fake news, however defined – sloppy traditional or new news providers, news stories seeking to discredit people that the authors do not like – is real and has, again well within living memory, destroyed the traditional media (and related PR) landscape. Richard Edelman, president of the PR firm Edelman, recently blogged that ‘business needs to take control of its own story, with every company becoming a media company’. He quoted a survey by his company in the US that found doubt about all news out there, and ‘changing consumption behaviours’ thanks to the likes of Twitter and Facebook, and a feeling that companies ought to screen for fake news. If as Edelman suggested a company’s employee’s become the ‘most credible spokespeople’, that implies a role for the security manager, the same as any employee; and especially when Security is called on, in a crisis, whether during a product recall or contamination scare, a flood or fire, a business traveller missing or a terror alert.
As its name suggests, CREST asks such questions as: who is involved in the transmission of violent ideologies? Why do people engage and disengage from violent extremism? How do groups innovate in their violent actions? How can security and emergency services anticipate and improve responses to critical incidents? How we can assess the value of information we receive? How can we tell if someone told a lie? Which techniques can help people recall facts about an event? How are terrorist groups financed and what decisions do terrorists make to protect their security? How can we patch security vulnerabilities with people rather than relying solely on technology? How can we prevent low-level breaches by well-meaning employees? What can people’s digital footprints tell us about their personality? What are the barriers to reporting friends and families suspected of extremism to the authorities and how do people keep secrets online?
For CREST’s catalogue of guides, reports and journals, visit https://crestresearch.ac.uk/news/crest-catalogue/.