The Inter America Press Association (IAPA) recently hosted
journalists from around the US and Latin America for their 73rd General
Assembly in Salt Lake City; for the first time this year there were
cybersecurity panels, with almost an entire day dedicated to the topic.
These days, journalists and publishers are
increasingly concerned about protecting themselves, their work, and their
sources. Rightfully so, for we live in a time when nearly every aspect of
publishing occurs online, from data gathering and file sharing, to researching
and writing, even phone calls. Journalists sit at the confluence of many
cyberthreats that are becoming more sophisticated. Nation-state attacks and
cyberespionage campaigns are proliferating.
Michael Kaiser, Executive Director of the National Cyber Security Alliance
moderated this year’s IAPA cybersecurity panels that included cybersecurity
experts from Google, ESET
and Utah Valley University.
Stephen Somogyi, a product manager at the Security
and Privacy division at Google, began his remarks by acknowledging that, while
this panel is about digital threats, the physical threats which journalists
face are enormous and should not be overlooked.
Journalists targeted by cybercriminals
Then the discussion moved into why journalists are
targeted by cybercriminals. The panel agreed that journalists hold a lot of
power because they act as the voice of the people and working with critical
information puts a target on their backs. Cybercriminals or cyberespionage
groups can attempt to either withhold key information, or reveal it in a time
and manner that is advantageous for them, and/or the group they represent be it
a nation state, or criminal enterprise.
According to ESET security researcher Stephen Cobb,
some of the greatest threats come from well-funded cybercrime and
cyberespionage groups that will go to great lengths to accomplish their
objectives: “Really the most dangerous groups are well-funded attackers, or
threat actors with resources; the more resources the more dangerous they
can be.”
Cobb gave as an example the Mexican government
purchasing commercial spyware and reportedly using it to target journalists, like Carmen
Aristegui, a reporter who exposed the biggest government corruption cases to
date. These types of hacking tools in the hands of well-funded organizations
can be used against reporters through intimidation and harassment.
Robert Jorgensen, Cybersecurity Program Director at
Utah Valley University, expanded on the point of threat actors seeking personal
information, “There is a true and present danger of people impersonating
journalists or discrediting them and their sources; when the press is the
voice of the people and its integrity is compromised, the effects can be so far
reaching.”
Kaiser then asked the panel what can be done – even
in the face of well-funded organizations: “When you put yourself in the shoes
of a journalist or someone like a publisher, how do you begin to understand the
risks and build protection around those risks?”
For journalists there could be a broad range of
directions from which attacks may come, so the concept of risk management is an
important one. Also, publishers and heads of news organizations should be
involved and ask questions about their security, as should the teams that
manage their security, whether that be outsourced IT or in-house.
Knowing the risks that exist, and how to mitigate
those risks is critical. “You need to constantly reevaluate the assessment of
what is the risk,” said Cobb. It’s an ongoing process that journalists and
publishers should be engaged in, and in which they should have regular training
and education. Somogyi pointed out that you need to ask what are you
protecting, and how long it needs to stay protected.
“When I interact with journalists they get excited
about the James Bond stuff,” said Somogyi, “but what is going to get you and
your sources in trouble, is the mundane stuff”
Somogyi, gave the example of DDoS attacks, that he
explained using this analogy: “You have not slept for days and you have
15 children demanding attention from you, you can keep up.” Technically, this
type of attack floods a server with traffic that renders the website
inaccessible. That means the publisher of the site is no longer able to
get their news across. This is one class of attack that is relatively easy to
execute Somogyi said, adding, “It’s a very cold, calculating, and ruthless thing.”
Understand the risks
The panel agreed that the supply chain creates a
lot of risk. Attacks can occur or originate not inside an organization, but
somewhere in the supply chain, where you have little control over the security
of your suppliers. The supply chain issue is common in the entertainment
industry, but is a serious risk for publishers and news organizations as well.
“There are also risks in the software supply
chain,” said Cobb, adding “If you are running software – which all companies do
– be aware that the bad guys will keep evolving attacks that abuse software at
its source, which underlines the need for threat intelligence.”
Matthew Sander, President of the Inter American
Press Association in the audience pointed out that we are at a cyber nexus, and
asked where to begin in this “sophisticated cybersecurity public health
problem.”
“There are a number of frameworks you can look at,”
said Jorgensen. “Really it starts with taking an inventory of devices and
software. Start small and worry about larger stuff as time goes on.”
“Communication among peers is a very good thing,”
said Somogyi, “Find a way to help employees and empower them to adopt good
practices.” Simple things matter, like software updates, because “if you
don’t update and then get compromised, you become the vector for which your
colleagues become compromised.”
Jorgensen suggested that you should start with
education, “Anything you do to impart security knowledge to your employees is
going to help.”
Cobb agreed that education is a key factor, and
these days you can make it about personal computing as well as work computing.
When everyone has a computer or smartphone, cyber education and training
benefits both home and personal life.
When asked about security standards, the panelists
warned that a checklist approach is not enough. Merely checking boxes or
complying with standards is not the same as being secure, said Somogyi, “Do not
labor under the illusion that that compliance gives you security.”