Hardly a week goes by without some major company announcing that it has been the victim of a cyber attack or hack. This spring, Netflix and HBO were each the targets of hackers, and this followed hacks at Sony and other media companies. In recent years, several of the largest newspapers around the world have also been the victims in such attacks.
In 2013, Chinese hackers conducted cyber attacks on the Washington Post and Bloomberg, while the Syrian Electronic Army (SEA) was responsible for 2014 attacks on The Independent, The London Evening Standard, The Chicago Tribune and The Telegraph. Chinese hackers have reportedly been targeting American news organizations going back as far as 2008.
Compared to breaches of retail websites—notably Target, Home Depot and T.J. Maxx—or of healthcare providers, the attacks against newspapers have largely been less costly to date. Moreover, while cyber attacks against news organizations have been high profile, the real growth sector for cyber criminals has remained in the healthcare sector, which saw attacks increase by 63 percent in 2016 according to research from TrapX Labs, a division of TrapX Security.
“Medical remains the holy grail because of the information that can be obtained,” said Nick Nascimento, founder of Sentage Systems, a managed IT services company. “However, the same methodology that is used in an attack on a healthcare provider could be utilized in any other sector. The methods and techniques are all the same.”
Despite what movies and television shows may suggest that hacking involves a deep understanding of computer systems, it isn’t actually the technology that is the weakest link in cyber security, it is the human element.
“The New York Times was hacked the same way that hackers targeted the electrical grid,” said Nascimento. “You can put up the best firewalls, but a lot of it comes down to social engineering, and this is why it is important to educate the employees.”
This is one part of the strategy to stop these breaches.
“You can do everything right, but one employee or outside contractor or vendor is all it takes to allow the breach to happen,” said Adam K. Levin, founder of CyberScout, cyber security and fraud protection service. “It comes down to that person clicking on the wrong link, which can introduce malware into a system and obtaining a password.”
Levin added that for that reason alone breaches have almost become a third certainty in life and that it will take more than technology to solve the problem.
For newspapers, there is a lot at risk. It could be the next frontier for hackers and other cyber criminals. If that’s the case, how can newspapers prevent and prepare for such an attack?
What Data is at Risk?
The first thing to understand is why hackers might even want to target a news organization. Most security experts say it goes back to the often misquoted line from career criminal Willy Sutton about robbing banks, as in “That’s where the money is.”
Newspapers may not have a lot money, but it has a 21st century currency—namely information.
Of course all major companies today have a lot of personal information either on their respective employees and/or customers. However, for media companies, this can include more than the usual employee data such as addresses, social security numbers and other personal information such as birthdays. Customer data can also include addresses and often credit card numbers.
“Media companies collect the same sort of data as other commercial organizations—names, addresses, passwords, billing info—so they might be targeted by hackers who collect and sell that information on the black market,” said Charles King, principal analyst at technology research firm Pund-IT.
A lot of that information doesn’t have the same value it once had. Credit card information and even social security numbers are so easily bought and sold on the dark web that the market is somewhat saturated. Hackers have become savvier in their attacks as a result.
“Many or most media companies store subscribers’ information in multiple sites so it’s difficult to imagine how that data could be held for ransom,” King said. “There are publishers that serve subscribers with specific political/philosophical outlooks whose data would be attractive to those on the opposite side or to government entities.”
All the News That Could Be Hacked
A bigger concern for newspapers and other media organizations is that hackers could opt to spread misinformation or so-called “fake news.” As the 2016 election cycle proved, there is real danger in the power of fake news, while more recently hackers and so-called hackavists have used cloned Twitter accounts to further spread false information.
To date, most cyber attacks have been brief and failed to actually be harmful, but were major newspaper sites and/or social media to be hacked in a concerted effort the results could be far more reaching. The United States suspects that Russian hackers may have planted fake news to create a crisis in Qatar earlier this year, and previously Russian hackers spread fake news during the crisis in the Ukraine.
“There is enormous potential damage that could be done by hackers who target newspapers,” said Levin. “Newspapers hold a revered place in our society, and imagine if one high placed story that wasn’t a real story showed up online it could set off a domino effect.”
The motivations that hackers might target a newspaper—or again perhaps just its social media account—could be for a plethora of reasons, ideologies or beliefs. As noted, it could range from a hackavist who may want to spread a personal opinion to efforts that could create an international crisis
“Hacks targeting news sources/companies occur for a number of reasons,” King said. “For example, the New York Times bureau in Shanghai was targeted by hackers—identified after forensic analysis—with support from China’s government, who were gathering information about research and news sources behind stories of which the government didn’t approve.
“More recently, Harvard’s news site was hacked by people who posted jokes about Mark Zuckerberg. Similarly, hackers broke into Qatar’s state news agency and posted pro-Israel stories. These motivations—which range from simple embarrassment to intelligence gathering—wouldn’t be effective for promulgating fake news or promoting systemic mistrust, but if they occurred often enough the site would be effectively discredited.”
The risk remains especially as newspapers often get the news before it is technically news. Information that was under embargo or under a non-disclosure agreement would certainly be the holy grail for hackers who understand the value of knowing tomorrow’s news early.
“This could include such information as pending mergers, pending government discussions, pending regulations, pending EPA ruling; this list goes on and on,” Levin said. “That information in the wrong hand could move markets or could just as easily result in a war. We have to accept that media outlets are in unique position to do good, or be used an as instrument do bad things if that data is accessed.”
Just as there is a concern that anyone with government security clearance could be at risk from blackmail, and that information they know could be compromised the same is true of reporters today.
“Reporters could be the target of bribery or extortion, just like anyone else, but what they know could be extremely valuable,” Levin said. “By targeting an individual rather than a newspaper’s servers, hackers could obtain some valuable information.”
Sources in the Crosshairs
Beyond the employee and customer information, as well as other confidential information that a newspaper’s computer network could contain, there is one other truly valued and protected item: the identity of confidential sources.
As long as people have been willing to share secrets with reporters, the identity of that source has been guarded often above and beyond the limits of the law. Reporters have literally gone to jail and in some cases died to protect a source. Hackers could change the balance entirely
“The era of the fully protected source has long passed, and even if journalists are experts in cyber security they could never guarantee a whistle blower absolute protection anymore,” said Dr. Mark Pearson, professor of journalism and social media at the Griffith Centre for Social and Cultural Research and the Law Futures Centre at Griffith University. “Journalists have an ethical obligation to tell a confidential source that their identity might well be traceable.”
Here the greatest weakness may not be social engineering or phishing scams because even if the information is kept off newspaper servers, there are too many other variables in the digital age.
“Journalists who travel may have to stop relying on email,” said Sentage Systems’ Nasscimento. “To protect sources might mean face-to-face communication.”
That might still not be enough.
“The combination of online and phone communications, geo-locational metadata, CCTV cameras and the ubiquity of audio and visual recording means that any initial and ongoing communication with endangered sources would need to be totally analog if it were not already on the radar of those who want to know,” Pearson said.
While the American NSA comes to mind as one group that seems to be an all-seeing eye, it is hardly the only such agency. Australia’s Federal Police had admitted earlier this year that it had accessed a journalist’s metadata in breach of protocol.
“In addition to avoiding naming a confidential source in court, or under duress, a reporter now needs to practice digital safety and security to ensure that surveillance, interception and data handover—increasingly justified by states on national security grounds don’t neutralize analog era source protection commitments,” said Julie Posetti, Fairfax Media head of digital editorial capability and author of the 2017 UNESCO study “Protecting Journalism Sources in the Digital Age.”
The same technology that is allowing for every conversation on devices to be captured could enable layers of encryption, but it isn’t clear if this will be enough to truly protect a source.
“This could involve the use of encrypted apps like Signal for more secure digital chat, and it should involve strong password protection across devices, along with awareness of metadata risks,” Posetti said.
However, “while particular encrypted apps or software might be favored by savvy reporters, we must remember that it is in all our interests that the authorities devise and implement new methods to crack such systems to combat international crime like money laundering, terrorism and child pornography syndicates,” Pearson said. “Journalists’ source protection is an inevitable collateral casualty of such cyber law enforcement advances.”
To this end, sources must be in on the efforts to ensure their protection. Posetti recommends that journalists consider training their sources in secure communications methods.
Identities of sources, even more than employee data or corporate information under embargo, could be the sort of thing that state sponsored hackers might be most interested in. The name of a source may have little actual financial value, so governments may be far more interested for any variety of nefarious reasons.
“This is a very valid concern,” Posetti said. “But hacking may not be required when mass surveillance and data retention policies potentially catch many confidential source based communications in the net. It’s a ‘brave new world’ and journalists, their editors, publishers, states and third party intermediaries have a responsibility to ensure that confidential sources and whistleblowers can continue to reveal information shared in the public trust.”
Such a danger is also obvious because there is already evidence it may have happened, said Pearson. “Recent cyber attacks upon various government agencies and corporations apparently by, or on behalf of, certain foreign powers is a small step away from a targeted search for the identity of sources opposed to their interests,” he explained. “As for corporate entities, The News of the World phone hacking scandal was an example of major corporations using illegal means to get confidential and private information for stories. If such tactics can be implemented by the media, they can also be used by corporations or governments against them.”
While such precautions by media companies are sensible, Pearson added that the more important imperative is adequate education of journalists about their individual responsibility to sources, awareness of the national security powers of agencies to access their metadata, and their clear and precise wording of negotiations with sources over confidentiality so that all parties are aware of the terms of the agreement and the real limitations on the protection of the source’s identity.
Stepping Up Security and Training People
Unfortunately, there is no magic button to push, no software to install or any other simple solution to stopping cyber attacks.
The first thing is to limit access.
“All organizations at all levels should be able to answer a few questions,” Levin said. “Do you encrypt your data? Do you segment your data?”
Encryption can help make it harder for hackers or other cyber criminals to utilize the data that is compromised during a breach, but by segmenting the data it can ensure that there is no skeleton key to the kingdom.
“If someone breaches one part of your network they shouldn’t have access to all the other parts,” Levin said. “This is a failing that happens too often, but it isn’t just technology. There needs to be education and a constant discussion (that) includes HR, legal, the news department and even the mail room. There is simply way too much at stake here.”
The other part is training employees should know that even the vice president of HR won’t ask for personal passwords, and should that email come, a phone call should be made to confirm it is legitimate.
“Training also needs to be ongoing,” Levin said. “Too often we see that this is mentioned to the whole company and a warning sent out, and then nothing. People shouldn’t be trained just on their first day or even quarterly.
These lessons should include not using passwords in one’s business life that are linked in any way to a personal/private lives; email should be monitored for malware; employees shouldn’t visit risky websites; suspect all email attachments of containing malware; and never click on embedded links.
In many cases, hackers today don’t actually need to breach a system that is behind a robust firewall, as mobile devices including smartphones, tablets and laptops often contain extremely sensitive information. These devices are often left in hotel rooms or used on airplanes— places where reporters can all too often let their guard down just reporters need to treat their devices as they do their protected sources. Some of it may sound like extreme measures but considering that hackers go to such extremes to obtain information, it isn’t a matter if one is too paranoid but rather is one paranoid enough.
“Putting phones in freezes or foil bags call ‘Faraday Cages,’ throwing burner phones into the river, using ‘air gapped computers—those that have never been connected to the internet—in a secure rooms are all methods investigative journalists and editors have deployed in recent times on highly sensitive stories,” Posetti said. “Although such measures are reserved for high risk stories—think national security and sophisticated organized crime syndicates—everyday measures like integrating physical safety policies with digital security measures, introducing threat assessment measures and undertaking specialist newsroom training are essential.”
The good news is that the media reports on breaches enough to understand that it is a valid risk and precautions are being taken.
“The relatively few recent stories about news site hacking suggests that media companies take hacking seriously,” said Pund-IT’s King. “They certainly should, since being scammed or taken over by hackers is both embarrassing and can negatively impact a company’s brand. Most traditional news companies are under such severe financial pressure that ignoring the dangers of hacking is equivalent to a death wish.”
It may come down to continued due diligence to stop the hackers at the gateway, and that includes the human element as much as stronger passwords, two factor authentication or the latest firewall technology.
“Throwing a fortune at technology isn’t the answer,” Levin said. “It is a solution, but isn’t the silver bullet or magic arrow that can fix all the problems. No system is any better than its weakest link, and humans have always been and always will be the weakest link. It is going to take education as well as technology to ensure that the kingdom is protected from the barbarians at the gate.”