The use of disinformation by states and intelligence agencies to undermine their enemies and political rivals has become commonplace in recent years. Hacked emails, fake websites, and doctored photos and messages are now staple weapons for spies and government operatives globally.
But these digital dark arts are no longer solely the providence of the espionage world. Indeed, Dark PR, as it’s called, is increasingly infecting corporate competitions and legal struggles. And executives at the C-Suite level need to be able to identify gathering disinformation campaigns targeting their operations and quickly move to neutralize them.
In many cases, the early salvos of a Dark PR operation may look amateurish, or even comical. Concocted stories often appear so manufactured or poorly written that it’s hard to take them seriously. Many are published on fake websites or LinkedIn accounts, so they are summarily discounted.
Ignoring these early warning signs, though, can be fatal to a company or business. The ultimate design of a disinformation operation often isn’t easily discernible. Some may have short-term goals, like impacting litigations or a corporate takeover. But some can have longer-term strategic goals, such as undermining a company’s ability to raise capital or launch an IPO. Nothing should be discounted.
This growing threat comes from a convergence between corporations, law firms, private detectives, and cyber firms, and the anonymity often provided by the digital world. Recent research conducted by Internet watchdogs exposed a proliferation of hack-for-hire operations conducted against businesses, NGOs, and journalists, purely aimed at achieving commercial outcomes. Stolen, and often manipulated data, is posted on the web and fed to the media in an effort to affect legal fights, business transactions, and even staff hires.
One cyber firm from India, BellTrox InfoTech Services, helped its clients spying on over 10,000 rival email accounts over a seven-year period, according to investigative reports published by Reuters and the Canadian watchdog, Citizen Lab, last year. BellTrox’s targets included hedge funds, law firms, and reporters from the Wall Street Journal and Financial Times. Its clients are believed to include a slew of blue-chip American and European firms.
But the threat isn’t just coming from stolen data. Online influence operations, using Twitter and other social media platforms, also are being employed to discredit companies, their brands, and executives. The sources behind these digital campaigns are nearly always disguised and can distort or manipulate even real events to harm their rivals.
A good example is an influence operation that targeted Nike Inc. in late 2018 after the shoe company announced plans to release a new advertising campaign starring the former NFL quarterback-turned-social activist Colin Kaepernick. Nike’s share price fell 3.2% the day after the campaign debuted, as online activists called for a boycott of the company. Some filmed themselves destroying Nike products.
A study of the Twitter traffic tied to the boycott conducted by APCO Worldwide and Morpheus Cyber Security revealed that the consumer and political outrage against Nike wasn’t nearly as voluble or widespread as it initially appeared. Indeed, certain groups bolstered the debate online by creating inauthentic Twitter surges. Their tactics included closely organizing echo chambers to mobilize tweets or deploying computer-generated traffic with bots. Nike’s share price quickly rebounded from its collapse and rose to an all-time high just a few weeks later.
In the face of this cybercrime and digital manipulation, companies need to be prepared to defend themselves, and quickly. To do so, they need to focus on three key areas: Attribution. Motivation. Response.
Attribution: Identifying the source of a hack-and-smear or an influence operation is extremely difficult. Assailants use third parties and foreign firms to cover their tracks and mask any money trail. But cyber firms are becoming increasingly adept at identifying fake news sites and Twitter accounts. And sophisticated software can address whether social media campaigns are organic or being driven by rivals.
Motivation: The early stages of a Dark PR campaign are extremely disorienting to a target. Are the attacks coordinated? Will they be sustained? The key for the C-Suite is to quickly assess and try to understand the motivations behind the operation. One motive can be a simple as trying to undercut a company’s new hire. Another could be as sophisticated as undermining a company’s political standing in a foreign country.
Response: Answering these questions is the key to helping a company’s leadership respond. In extreme cases, this might include bringing in law enforcement. But on most occasions, the strategy should focus on providing facts and truths. This could include holding press briefings, establishing fact-filled websites, and publicly identifying those behind the Dark PR.
The power of new technologies is outpacing the ability of governments and law-enforcement agencies worldwide to protect companies and commerce. As a result, it’s increasingly incumbent upon the C-Suite to police their operations and push back against Dark PR. Doing so is not only crucial to their companies’ financial health but also important for society overall.
Jay Solomon is Senior Director at APCO Worldwide and is a fellow at the Washington Institute for Near East Policy.