Responses to misinformation

[Cross-post from Medium https://medium.com/misinfosec/responses-to-misinformation-885b9d82947e]

There is no one, magic, response to misinformation. Misinformation mitigation, like disease control, is a whole-system response.

MisinfosecWG has been working on infosec responses to misinformation. Part of this work has been creating the AMITT framework, to provide a way for people from different fields to talk about misinformation incidents without confusion. We’re now starting to map out misinformation responses, e.g.

• At the technique level — T0025 leak altered documents was countered in France during the Macron election.
• At the tactic level — we can create a courses of action matrix that lists ways to detect, deny, disrupt, degrade, deceive or destroy activities in each tactic stage.
• At the procedure level — we can look at sequences of responses that may be more effective than individual responses in isolation.

Today I’m sat in Las Vegas, watching the Rootzbook misinformation challenge take shape. I’m impressed at what the team has done in a short period of time (and has planned for later). It also has a place on the framework — specifically at the far-right of it, in TA09 Exposure. Other education responses we’ve seen so far include:

• Immunisation through gameplay “pre-bunking”, e.g. the game https://getbadnews.com/#intro
• Education on specific techniques, e.g. the pineapple pizza education on division tactics
• The Finnish education model
• Other counters being explored by groups like the CredCo media literacy working group

Education is an important counter, but won’t be enough on its own. Other counters that are likely to be trialled with it include:

• Tracking data providence to protect against context attacks (digitally sign media and metadata in a way that media includes the original URL in which it was published and private key is that of the original author/publisher)
• Forcing products altered by AI/ML to notify their users (e.g. there was an effort to force Google’s very believable AI voice assistant to announce it was an AI before it could talk to customers)
• Requiring legitimate news media to label editorials as such
• Participating in the Cognitive Security Information Sharing and Analysis Organization (ISAO)
• Forcing paid political ads on the Internet to follow the same rules as paid political advertisements on television
• Baltic community models, e.g. Baltic “Elves” teamed with local media etc

Jonathan Stray’s paper “Institutional Counter-disinformation Strategies in a Networked Democracy” is a good primer on counters available on a national level.