Illustration: Aïda Amer/Axios
Ransomware may be the threat everyone is talking about right now, but businesses also face another growing risk: becoming a disinformation campaign's direct target or collateral damage.
Why it matters: Ransomware's damage is immediate and unavoidable, but the attack takes skill and planning, while disinformation attacks are often cheaper to launch and harder to protect against.
"You’ve either been the target of a disinformation attack or you are about to be," former U.S. cybersecurity head Chris Krebs told Axios.
- Recent examples of companies that have been harmed include election equipment makers Smartmatic and Dominion, which were caught up in 2020 election lies, and online furniture mart Wayfair, which was falsely tied to a QAnon child sex conspiracy theory.
The big picture: Businesses are only one target of major disinformation campaigns. The same forces are undermining elections, casting doubt on climate science, and reducing trust in vaccines.
Between the lines: Krebs, in a meeting with businesses leaders Wednesday, described information attacks as coming from at least five different types of actors: profiteers, nation-states, conspiracy theorists, political extremists and political activists.
- And, in many cases, actors from more than one of these types end up reinforcing each other. "They overlap," Krebs said, speaking to executives and clients of PR firm Weber Shandwick on Wednesday. "You can see two or three interacting on the same campaign."
Of note: Unlike ransomware, many types of disinformation attacks are not illegal.
- That often means the consequences are minimal — as when specific individuals or accounts are banned from a platform.
- Other times, the only cause for redress is legal action, such as a defamation lawsuit, and those can be time-consuming and expensive to pursue.
Disinformation, like ransomware, is becoming a business unto itself, spawning the creation of agencies who specialize in creating and spreading false messages.
- "There are organizations that are playing a disinformation-as-a-service function," Krebs said.
Krebs said businesses shouldn't wait passively but prepare for the inevitable attack — by figuring out where they fit into potential target areas, either through the type of industry they are part of or positions they take, such as those around diversity or immigration issues.
Eliminating risk isn't an option, Krebs said, but there is a lot businesses can do when they assess their potential risks and prepare to fight back.
- One key is to have clear lines of responsibility, Krebs said. He noted that disinformation attacks often fall through the cracks, with PR, legal, cybersecurity and other teams often pointing fingers rather than taking swift action.