While the Snowden revelations opened journalists’ eyes to surveillance and ways to encrypt information, the cyberattacks on the Democratic National Committee (DNC) brought home how easy and how devastating it is to be hacked.
Between February and December 2019, I conducted thirty semi-structured interviews with journalists, information security technologists, and media lawyers from national and local news organizations in the United States, as well as individuals from nonprofit organizations and academic institutions. I selected the subjects via a snowball sample (in which I began with a small population of known individuals and then expanded the sample by asking my interviewees for suggestions of others to interview) because of the sensitivity of the topics discussed. Interviewees represented a wide variety of organizations in terms of sizes and cultures. The aim was to obtain a diverse sample that reflected a range of perspectives and practices among journalists and adjacent actors in the newsroom. I also interviewed individuals associated with nonprofit news organizations and academic institutions, including OpenNews, the Freedom of the Press Foundation, and the New School, because of the interviewees’ experiences with information security or systems thinking at the organizational level.
In my new report for the Tow Center for Digital Journalism, The Rise of the Security Champion: Beta-Testing Newsroom Security Cultures, I examine the rise of information warfare, not just as a topic of reporting, but as an assault on newsrooms themselves—and the DNC hacks represent a major flash point.
Rising interest following the DNC hacks
According to a national security reporter, interest in information security among media professionals “peaked again” following the DNC hacks, “partly because we all saw how relatively straightforward the hack was to start with, the phishing emails that were sent to people like Podesta. We’ve all seen emails like that in our inboxes…and just the huge damage and impact that could result from a…thoughtless click on one of these phishing emails.”
As one data journalist put it, the DNC hack was a wake-up call for journalists because even though it was simple, it was sophisticated. “It’s no longer the guy from Nigeria asking you for $5 million. That’s not what they’re doing anymore. It’s much more sophisticated than that.” Another journalist said that the DNC hacks should provide motivation to newsrooms to implement information security practices:
Have them recall what Russia did with the emails that they hacked from the DNC and then later from John Podesta. What they did was to weaken them institutionally—they published the most embarrassing, the most cringeworthy, and the most internally divisive things they could. Unless you make this [information security] your priority, it’s a matter of time before that happens to you.
Often, these concerns manifested in more journalists’ and sources’ being willing to download and use the encrypted messaging service Signal. A national security journalist said he saw an increase in the expectation that Signal would be used for communications from people he didn’t know or expect would be interested in using it, and that this expectation surged in November 2016. “I definitely remember a spike in using it after Trump’s election, and I mean immediately after.” Another journalist, who became the de facto information security trainer in her newsroom, said that “the 2016 election was really a big wake-up call for a lot of people.” Her newsroom “already had some folks who were using ProtonMail. We started pushing folks pretty heavily toward Signal. And then…after the new year, after the election, was when we really did, like, a big sweep. We taught everyone how to use Signal and taught everyone how to use ProtonMail. And then the following year, in 2017, we implemented SecureDrop.”
An information security director for an investigative outlet agreed. He said that the election of Trump was a turning point for many journalists. “I think that when Trump got elected…everyone was like, ‘Oh, fascism is almost here.’”
The increase in the number and scale of data breaches and scandals in recent years has also raised journalists’ awareness of the risks and repercussions of nonsecure practices by companies, agencies, and individuals. One cybersecurity reporter said the 2014 Sony hack in particular was a “big catalyst” that “showed everyone that it could happen to anyone.” He continued, “I mean, we’re literally talking about a company that makes movies…no disrespect, but it’s not the NSA, it’s not the DNC. And they got all of their emails plastered on WikiLeaks…it was a great case study for saying, ‘Hey guys, this could literally be us next week. We need to take this seriously.’ ”
Another shocking moment was the Cambridge Analytica scandal. “Since then we have been asking some more pointed questions in the media, but also as citizens, just about the nature of these tech companies,” an information security technologist said. “Like, what kind of access do they have? Should they have that access? Under what circumstances should they have access to our personal data?… I see people asking themselves about alternatives more than ever.”
For other journalists, the regularity of these breaches has increased their awareness, as distinct from any one incident. Said another national security reporter, “The steady drumbeat of slightly scary infosec stories has just made people much more aware in general that their data is probably fragile and slightly precarious and that people shouldn’t automatically assume it’s secure.”
Intensifying harassment and doxing
And, of course, there have been intensifying online harassment and doxing campaigns against journalists. “Domestically, there has been, over the last two or three years, an increasing number of online threats, email threats, phone threats, usually targeting reporters who have for whatever reason made somebody unhappy, usually because of coverage of the Trump administration,” said a media lawyer at an elite news organization. “Sometimes it’s other topics, but it tends to be reflective of the partisan divide in the country today. And sometimes not directly Trump. It can be about perceptions of political correctness, about writing articles sympathetic about immigration or any of the other topics that tend to be hot-button ones.”
Journalists across a range of beats receive threats, but female and minority journalists tend to be targeted more intensely and frequently. And journalists who cover local or national politics or extremism receive more sustained and severe abuse. A journalist at a local media organization said her managers started to care more about doxing once the news organization diversified its staff.
“When I joined it was whiter than it is now,” she said. “And this isn’t a problem that white people face as much as brown and black people do. You hire a bunch of people and they start complaining about it so you’re suddenly hearing more.”
This journalist soon found that whenever she had a story, regardless of whether it had to do with race or diversity, she would receive harassing emails. “I finally told [my editor] that we needed to do something about it when I was doing stories that had nothing to do with any controversial topic, really. But people would still find a way to connect it with something.”
Contributing to the likelihood of online harassment and doxing is the availability of one’s personal information online. A cybersecurity reporter said that doxing was “the most likely scenario for most journalists…because it’s easy to do and all it takes is angering a source or somebody connected to the source. And the damage can be very high, especially in terms of stress, remediation in terms of, like, maybe you have to worry about how you go home, what bus you take, what public venues you attend.” He added that the danger has been “underestimated for a long time…because it seemed like it was something that gamers did against each other…maybe journalists thought they were off-limits, that no one would dox them.… Maybe we got cocky or we got overconfident that no one cared about our lives. But we now know that that’s not the case…and it seems like some journalist gets doxed or threatened to get doxed…almost every week.”
This reporter said that part of the reason that doxing appears to be intensifying is because it is “literally kid’s play” and it’s challenging to know how to successfully counter it:
There’s no app that saves you from doxing. It’s something that you have to sort of worry about all the time and defend against all the time. And the only way to do that is by having someone that keeps up with how doxing works and what to do to prevent doxing. And also, again, you need to train journalists…I guess, worry less about the NSA or Russia hacking your email and worry more about random people on the internet publishing your home address on Twitter.
Anyone can dox a reporter, and some journalists expressed concern that they could be targets for online harassment or doxing from upset sources. Said one reporter, “I’ve certainly pissed off sources, and not necessarily even sources…but people in that world who I’ve been uncomfortable having pissed off.” So far, he said, “I’ve been pranked, but not hacked.”
DDoS, hacking, and source exposure
As in other cases, journalists and news organizations begin to care more about information security when they are targeted directly by distributed denial-of-service (DDoS) attacks or nation-state hacking attempts. “A couple years ago.… We pissed somebody off on the internet, and our email system was hit by a denial-of-service and nobody’s email worked,” said one journalist and news apps developer. “At that point, I think, at least at [our news organization] everybody started learning about secure alternative ways of communicating. People started to realize that we are vulnerable to threats like anybody else.”
According to one information security technologist, nation-states and powerful individuals don’t want to be written about, so they hire people to dig into who is writing stories about them, learning who they are and what their motivations might be in order to compromise them in different ways and to discredit them. Another information security technologist concurred. He said that nation-state actors “like to have a leg up when it comes to understanding whether or not you’re reporting on them, and if so, how? What do you know? Who are you talking to?”
Cases in which sources have been exposed, arrested, or charged with espionage have also resulted in raised awareness and concern among journalists about the need to learn and successfully implement information security technologies. One security technologist said that his organization had sources who were charged with espionage, which was definitely a “flag” and a concern for journalists in the organization. Another cybersecurity reporter said, “We don’t want to do that. We don’t want to be the next guy that exposes a source, who gets the source arrested.”
Media lawyers said contemporary legal realities often left them out of the loop. When the government launches a leak investigation, “They don’t need to come to [the outlets being investigated],” said one. “They run into a variety of complications when they come to us, and there’s the optics of it and everything else. I think that they would prefer not to, and if they don’t need to, they don’t.”
Instead the investigations are more centered on looking at government employees’ own electronic footprints. Another media lawyer agreed: “They don’t bother subpoenaing us anymore, and I think that’s because of information security reasons. They can just go get the data elsewhere. They can subpoena it from third-party providers. They can capture it using technological methods if reporters don’t protect themselves.”