The Inter America Press Association (IAPA) recently hosted journalists from around the US and Latin America for their 73rd General Assembly in Salt Lake City; for the first time this year there were cybersecurity panels, with almost an entire day dedicated to the topic.
These days, journalists and publishers are increasingly concerned about protecting themselves, their work, and their sources. Rightfully so, for we live in a time when nearly every aspect of publishing occurs online, from data gathering and file sharing, to researching and writing, even phone calls. Journalists sit at the confluence of many cyberthreats that are becoming more sophisticated. Nation-state attacks and cyberespionage campaigns are proliferating.
Michael Kaiser, Executive Director of the National Cyber Security Alliance moderated this year’s IAPA cybersecurity panels that included cybersecurity experts from Google, ESET and Utah Valley University.
Stephen Somogyi, a product manager at the Security and Privacy division at Google, began his remarks by acknowledging that, while this panel is about digital threats, the physical threats which journalists face are enormous and should not be overlooked.
Journalists targeted by cybercriminals
Then the discussion moved into why journalists are targeted by cybercriminals. The panel agreed that journalists hold a lot of power because they act as the voice of the people and working with critical information puts a target on their backs. Cybercriminals or cyberespionage groups can attempt to either withhold key information, or reveal it in a time and manner that is advantageous for them, and/or the group they represent be it a nation state, or criminal enterprise.
According to ESET security researcher Stephen Cobb, some of the greatest threats come from well-funded cybercrime and cyberespionage groups that will go to great lengths to accomplish their objectives: “Really the most dangerous groups are well-funded attackers, or threat actors with resources; the more resources, the more dangerous they can be.”
Cobb gave as an example the Mexican government purchasing commercial spyware and reportedly using it to target journalists, like Carmen Aristegui, a reporter who exposed the biggest government corruption cases to date. These types of hacking tools in the hands of well-funded organizations can be used against reporters through intimidation and harassment.
Robert Jorgensen, Cybersecurity Program Director at Utah Valley University, expanded on the point of threat actors seeking personal information, “There is a true and present danger of people impersonating journalists or discrediting them and their sources; when the press is the voice of the people and its integrity is compromised, the effects can be so far reaching.”
Kaiser then asked the panel what can be done – even in the face of well-funded organizations: “When you put yourself in the shoes of a journalist or someone like a publisher, how do you begin to understand the risks and build protection around those risks?”
For journalists there could be a broad range of directions from which attacks may come, so the concept of risk management is an important one. Also, publishers and heads of news organizations should be involved and ask questions about their security, as should the teams that manage their security, whether that be outsourced IT or in-house.
Knowing the risks that exist, and how to mitigate those risks is critical. “You need to constantly reevaluate the assessment of what is the risk,” said Cobb. It’s an ongoing process that journalists and publishers should be engaged in, and in which they should have regular training and education. Somogyi pointed out that you need to ask what are you protecting, and how long it needs to stay protected.
“When I interact with journalists they get excited about the James Bond stuff,” said Somogyi, “but what is going to get you and your sources in trouble, is the mundane stuff”
Somogyi, gave the example of DDoS attacks, that he explained using this analogy: “You have not slept for days and you have 15 children demanding attention from you, you can't keep up.” Technically, this type of attack floods a server with traffic that renders the website inaccessible. That means the publisher of the site is no longer able to get their news across. This is one class of attack that is relatively easy to execute, Somogyi said, adding, “It’s a very cold, calculating, and ruthless thing.”
Understand the risks
The panel agreed that the supply chain creates a lot of risk. Attacks can occur or originate not inside an organization, but somewhere in the supply chain, where you have little control over the security of your suppliers. The supply chain issue is common in the entertainment industry, but is a serious risk for publishers and news organizations as well.
“There are also risks in the software supply chain,” said Cobb, adding “If you are running software – which all companies do – be aware that the bad guys will keep evolving attacks that abuse software at its source, which underlines the need for threat intelligence.”
Matthew Sander, President of the Inter American Press Association in the audience pointed out that we are at a cyber nexus, and asked where to begin in this “sophisticated cybersecurity public health problem.”
“There are a number of frameworks you can look at,” said Jorgensen. “Really it starts with taking an inventory of devices and software. Start small and worry about larger stuff as time goes on.”
“Communication among peers is a very good thing,” said Somogyi, “Find a way to help employees and empower them to adopt good practices.” Simple things matter, like software updates, because “if you don’t update and then get compromised, you become the vector for which your colleagues become compromised.”
Jorgensen suggested that you should start with education, “Anything you do to impart security knowledge to your employees is going to help.”
Cobb agreed that education is a key factor, and these days you can make it about personal computing as well as work computing. When everyone has a computer or smartphone, cyber education and training benefits both home and personal life.
When asked about security standards, the panelists warned that a checklist approach is not enough. Merely checking boxes or complying with standards is not the same as being secure, said Somogyi, “Do not labor under the illusion that that compliance gives you security.”