Journalism schools still behind on cybersecurity training, new survey finds

Image: Wikimedia commons

Toward the end of a long workday, one last email dropped into Jawar Mohammed’s inbox. It looked like a news tip, forwarded from an Ethiopian radio station. Mohammed, head of an independent broadcaster based in Minnesota and a leading figure in the Ethiopian opposition movement, wasn’t fooled. He didn’t click the link.

Instead, Mohammed forwarded the message to researchers at the Citizen Lab, a research group at the University of Toronto, who confirmed his suspicions. Clicking the link would have turned his phone or computer into the ultimate spying tool: recording sound, video, calls, texts, and passwords—possibly putting Mohammed’s contacts in serious danger. Luckily, Mohammed didn’t need an army of paid hackers to defend against this threat. His own sense for digital security was enough.

ICYMI: Merriam-Webster reveals its word of the year

Others have not been so fortunate. The New York Times said that operators based in China probably used the same type of email deception to break into their systems in 2012. In Mexico, journalists have been systematically targeted with sophisticated commercial spyware purchased by the Mexican government in an ongoing spying scandal. And these instances of probable state-sponsored spying represent only one type of digital threat against journalists today.

Once considered the exclusive concern of national security reporters, basic digital security competence is now essential for all journalists. Online mobs try to silence writers—especially women and people of color—by finding and leaking their personal information online; criminals lock down publishers’ systems and try to extort ransoms; metadata can leave breadcrumbs back to vulnerable sources; and one misguided click or weak password could let intruders into a whole news organization’s system. These days, bad security habits could betray your sources, or the sources of the reporter sitting next to you.  

The majority of journalism schools surveyed devote less than two hours to digital security training.

Yet, new data collected by the Citizen Lab suggests that most journalism schools do not do enough to prepare the next generation of reporters to protect themselves, their sources, and their colleagues online. (You can read the full survey methodology at the bottom of the page.) Only half of the 32 schools across the US and Canada that responded to the survey offer digital security training, and less than a quarter make that training mandatory. Among programs that have training, the majority devote less than two hours to the subject; previous research has found that even after six, three-hour workshops only half the participants passed a test about the material they covered.

Sign up for CJR's daily email

The good news is that, among schools that said they offer training, most are moving in the right direction by integrating digital security into their courses, rather than offering standalone sessions. Unfortunately, almost all of these schools still devote less than two hours to the subject, which we know is not enough. And another large fraction of schools aren’t offering any training at all.

Of course, it’s not easy for journalism schools to turn on a dime in response to changing trends, but digital threats to journalists are getting worse. And experienced educators say that giving students the basic knowledge they need to work safely in the digital world might be easier than schools assume.

A short one-off session has been the go-to approach to digital security training for many institutions, from government to the private sector. About a third of the schools that responded to the Citizen Lab’s survey cover digital security in a short session. Most often this was a 1–2 hour lecture or 3–5 hour workshop—some were mandatory, others optional. This approach can easily go wrong.

RELATED: Why DDoS attacks matter for journalists

In her eight years of experience leading security trainings for a range of organizations, Carol Waters often confronts “absurd requests” from clients who want her to jam too much material into a quick session. Waters understands that time constraints and the difficulty of finding instructors can make these one-off sessions the easiest option for institutions that want to do something about digital security. But she’s adamantly against trying to cover too much material in too little time. “It’s magical thinking,” she says. “It doesn’t work.”

Waters has also seen how well-intentioned but misguided training can even be counterproductive. In 2014, as a fellow at the Tow Center for Digital Journalism at Columbia Journalism School, Waters and fellow trainer Chris Walker piloted an in-depth course in digital security spanning a whole semester. In the process, they found that students who’d previously been through one-off trainings usually retained almost no knowledge, and sometimes developed defeatist attitude about their ability to learn good security habits. Short trainings also left some students with half-installed tools on their devices, which often malfunction. Waters and Walker concluded that these two-hour trainees “often end up more frustrated and no better informed.”

ICYMI: A bombshell scoop that started with an 11-word, late-night text

Fortunately, our results show that the majority of the eighteen schools that said they offer training are taking a more constructive approach by integrating digital security into their existing courses. Susan McGregor, a professor at Columbia and expert on digital security issues affecting journalist, says that this is the ideal way to teach the topic. For example: a basic reporting class might touch on the need to store notes and contacts securely in case your devices are searched; a photojournalism class would mention that metadata in photo files can reveal the location where they were taken; a social media class would teach students how to lock down their accounts and cope with online threats; and an investigative techniques class would highlight the hidden ways in which documents can be traced. Our survey doesn’t show what material is currently being covered, but we do know that many schools are taking the right teaching approach.

The advantage, according to McGregor, is that security is “integrated into journalistic practice.” That way, security becomes a habit—like checking the spelling of names before publication or organizing photos at the end of the each shoot—rather than a cumbersome add-on. It’s also easier for schools to tweak current syllabi than to add new classes in tightly scheduled programs. This integrated approach does, however, require faculty to teach what is, for many, an unfamiliar subject.

If security is “integrated into journalistic practice,” it becomes a habit.

“Whereas in other safety and security scenarios we have a lifetime of lived experience,” said McGregor, the digital equivalent of checking both ways before you cross the street is not nearly so intuitive. Still, McGregor is guardedly optimistic. “Journalists are smart,” she says. “They learn new stuff all the time. If you can use a CMS, you’re going to be fine.”

And journalism instructors don’t necessarily need to grapple with PGP encryption or learn the ins-and-outs of every new security app. Experienced educators say that teaching these tools is secondary to helping student think through questions like: What information do I need to protect? Who might be trying to attack me? When am I at greater risk? And how can I protect myself?

Steve Doig, a Pulitzer Prize–winning reporter and professor at the Walter Cronkite School of Journalism, said his digital security class isn’t a “how to” session. He just wants his students to be able to assess risks. He’s also conscious that security tools change so quickly that practical training swiftly goes out of date.

Doig’s approach mirrors the way journalism schools often teach students about the law, which is required under US accreditation standards. Journalists don’t need to be legal experts, but they are taught to follow simple best practices (like preserving your notes) because you never know when a reporter or source may stumble into legal jeopardy. Similarly, Doig wouldn’t want one of his students to end up in a situation where they should be using specialized digital tools but aren’t even aware of the risks.

“Someday they may find themselves in a situation where, to get the story, they need to promise confidentiality,” says Doig, “They need to keep that promise.” It’s in those situations that Doig hopes students will remember his class, and seek out the technical knowledge and expert support they need to protect their professional practice—much like a journalist might call in a lawyer when legal issues arise.

Doig is self-taught in digital security, and has now trained countless students, which goes to show: educating educators has exponential benefits. Kenneth Werbin, a professor at Wilfrid Laurier University, said that completing our survey made him reconsider his own program’s digital security offerings. After researching the topic and taking a training course with a press freedom group, he’s planning to spend more time in his next class talking about the digital security risks his students may face in their careers and what they can do about them.

ICYMI: Civil says the future of media is blockchains and cryptocurrencies

This article is a collaboration between CJR and the Citizen Lab at the Munk School of Global Affairs, University of Toronto. The Citizen Lab’s study was financially supported by the John D. and Catherine T. MacArthur Foundation (Ronald J. Deibert, Principal Investigator). Thanks to all the survey participants and to the research team, especially Masashi Crete-Nishihata, Christopher Parsons, Lokman Tsui, Dawn Walker, and Ronald J. Deibert.

Survey methods: These findings are based on a survey sent to 124 university degree programs in journalism in the US and Canada by the Citizen Lab. For American schools, our research team began with the Accrediting Council on Education in Journalism and Mass Communication’s (ACEJMC) list of accredited programs. We manually excluded programs that were exclusively focused on communications, public relations, and other non-journalism fields. For Canadian schools, we began with the Universities Canada’s list of member institutions and conducted manual searches to determine if each institution had a journalism program.

The survey was distributed by email to the official who appeared (from the school’s website) to be responsible for academic programs, or to the head of the program/school. The initial request was followed by two reminders and a last call. Responses were collected through Google Forms. The survey questions are available here.

In total, 32 institutions responded. Although we asked respondents to complete one survey for each program at their institution only two followed this instruction. We have therefore reported the results by institution. The response rate was 26% (32 out of 124). Twenty-one respondents were from American institutions. Thirteen were Canadian. Given that there are many more American schools, the response rate was considerably higher for Canadians than for Americans. Twenty-four responses were for Bachelor’s degrees. Seven were for Masters degrees. One response was recorded for a PhD program.

Since this was a survey—not a poll—the results are not necessarily representative. They do, however, offer a unique insight into how journalism schools are teaching digital security.

Has America ever needed a media watchdog more than now? Help us by joining CJR today.

Joshua Oliver is a research assistant at the Citizen Lab, and a freelance journalist. He can be reached at josh@citizenlab.ca.