As phishing campaigns and government spyware are becoming increasingly sophisticated, newsrooms must realise they are only as strong as their weakest link
When investigative journalist of The Financial Times (FT) Dan McCrum started poking around a multi-billion dollar payment processing company Wirecard in 2015, he would soon have a target on his back.
At the Center for Investigative Journalism’s Logan Symposium event last week, he explained what followed the publication of a negative article about the company: he became embroiled in a conspiracy that his reporting was an attempt to drive down, and then take advantage of, Wirecard stock market price.
As recently as last year, there were criminal investigations (since dropped) to try and control this narrative. But at first, McCrum would find out that he became a victim of eavesdropping devices, IMI-catchers, to target his phone directly.
He does not know how effective these efforts were but he and his colleague became subject to an intense and highly personalised phishing campaign. Emails were convincing; they resembled LinkedIn messages, YouTube links sent by colleagues and photo albums using Facebook pictures. He realised how real the threat was when he saw his own emails in one attempt involving a false whistleblower.
"Paranoia takes hold," McCrum reflects at the event. "Operating under that sense of attack, you're worried about family, certainly lots of people in the Wirecard [case] targetted spouses. That constant sense of paranoia impedes the reporting as well."
McCrum first needed to 'bunker down' for three months, working on an 'off-the-grid laptop'. A breach of security makes it hard to contact sources and it also deeply affects the entire newsroom.
"We’ve spent many years working with journalists who have been targetted," says John Scott-Railton, senior researcher at The University of Toronto's Citizen Lab, an academic group focused on the study of digital threats to civil society.
"You feel like you’re bringing risks to the party and you don’t know where your contagion begins and ends. It changes your behaviour, in so many cases, it’s the targetted version of what repressive regimes try to do, which is that they try to convince you that they can listen to your calls and they’re all-knowing."
There are other high-profile examples of 'hack-for-hire' operations, notoriously the case of BellTroX InfoTech Services which targetted journalists as well as other professions.
But the truth is that cyber threats to journalists are no longer just restricted to those reporting on digital security, said Runa Sandvik, a digital security expert for journalists. She has spent nine years in this space, having worked for The New York Times, Freedom of the Press Foundation and The Tor Project.
"Early on, my sense was that digital security was something that only certain reporters needed", she says, adding that awareness might be increasing but there is still a disconnect between the newsroom and the business side of the company. War correspondents, for instance, go out into the field with a built-in process: insurance, training, paperwork and equipment. Many reporters working online do not have the equivalent armour.
Instead, journalists develop the necessary protections and precautions through connections and experience but this is not good enough in 2020.
"Especially if you work for an established media organisation, those shouldn't be things you have to ad hoc figure out along the way, it should be an established process within the media organisation," Sandvik says.
It becomes more pressing when you consider the variety of sources from which a cyberattack can come. It is not just individual hackers or companies with bad motives, but government spyware is also a concern, said Lorenzo Franceschi-Bicchierai, senior staff writer at Motherboard. His beat is hacking, information security, surveillance and privacy.
The examples of FinFisher and Hacking Team as 'government-hacking-as-a-service' make an uneasy prospect for journalists, especially those operating in limited press freedom countries. This software has historically seeped out to regions in South America and the Middle East.
Franceschi-Bicchierai said there are some limitations in terms of how Western governments can use surveillance and hacking software. Companies are also restricted to where they can export to and face sanctions for violations. But it remains an under-regulated area and the market is "secretive by design".
"On both sides, you have the customer and provider that don't want to talk about anything," he explains. "The same is true with private customers because companies don't want to get caught using, probably, illegal services."
What protection do reporters need? McCrum's example is a salient one because the most common form of hacking is phishing. So, basic cybersecurity is a start; two-step authentication, unique passwords and updating software regularly.
Beyond that, reporters may need separate workflows and devices for sensitive work or specific communications. But crucially, newsrooms need a united front on cybersecurity, as the entire team is only as strong as its weakest link.
"In some cases, it has been helpful to illustrate how targetting one individual could impact the whole newsroom and the entire business. Those examples are not typically found in the world of mercenaries and spies, but in ransomware," Sandvik explains.
"It only takes one individual to click a link, run a piece of software or open a document before the entire newsroom and company are affected by it."
McCrum said that FT shares this perspective, emphasising how one breach can give a hacker access to sensitive information on the CMS and internal emails.
Focus on why security matters, Sandvik added. In a newsroom, it can be helpful to tailor and focus the message around protecting everybody's sources.
"There is a growing industry, it has proliferated globally, and it is bringing risk to your beat and you,” concludes Scott-Railton.
Join us at our next digital journalism conference Newsrewired from 1 December 2020 for four days of industry expert panel discussions and workshops. Visit newsrewired.com for event agenda and tickets.
If you like our news and feature articles, you can sign up to receive our free daily (Mon-Fri) email newsletter (mobile friendly).
Sign up to receive job alerts of your choice by email, or manage your subscription
Featured recruiter: click to view its vacancies
The UK’s largest independent investigative journalism organisation seeks a fact checker with proven experience in fact-checking or editing journalistic content, ideally investigations. Hybrid working
Subscribe to our newsletter for latest news, tips, jobs and more
End that deadline stress today and find help in our freelance directory
Personal trainer James Hilton has launched a podcast 'Jim's Gym - Inspiring Movement'. James, a specialist in biomechanics and injury recovery from the Cotswolds, runs Jim's Gym, a virtual online space supporting people over 55 to be more active
Our next Newsrewired conference will be in May 2025, London.
Conferences and study weeks are fantastic opportunities to get the latest updates on the industry and network with your peers
Awards are a great way to have your hard work recognised by industry experts and celebrate your teams. Here is where you can apply
If you find your social feeds a tad too heavy on men's voices, follow and connect with these fantastic women experts on indie media
How do you move print readers to digital? Are there other ways to hold on to subscribers besides a last-ditch deal?