Journalists and news organizations are “massively overrepresented” in targeted hacking attacks sponsored by nation-states, according to two Google (GOOG) security researchers. Twenty-one of 25 top news outfits have been targeted by government hacking, the researchers said in a briefing at the Black Hat Asia security conference in Singapore on Friday. News organizations have been slower than businesses to recognize the threat and take action, Google’s Morgan Marquis-Boire told Reuters.
I don’t think I’m the only one who finds this unsurprising. The question is, how worrying is it? The answer depends on who you are.
On the surface, it probably doesn’t mean much to news consumers. There have been plenty of disruptive attacks on media websites, including one on the New York Times last year, purportedly by the Syrian Electronic Army. The Times’ website problems lasted for hours. How much could state-sponsored attacks influence or harm coverage by the world’s ambiguously defined top outlets? Maybe on a short-term basis, if there’s a disruption of systems.
For journalists themselves, it’s a wake-up call. Reporters should expect that a lot of people are trying to get into their e-mail, keeping track of their whereabouts and contacts, and exploiting any carelessness to penetrate their employers’ corporate networks. We should be taking security more seriously. Then again, journalism is and probably always has been a dangerous profession, particularly in certain countries. State-sponsored hacking is just helping to make old-fashioned press control and intimidation easier to carry out. Twelve journalists have already been killed in 2014, and, as of December, 211 journalists were jailed in 2013 alone, according to the Committee to Protect Journalists (CPJ).
The people who should be most concerned about this are sources. The most important news often comes out because a courageous insider stepped forward, risking her job, her safety, and even her life. If news organizations and journalists don’t protect themselves, then they also can’t protect their sources from prying government eyes. And this isn’t just China and Syria we’re talking about—it’s also the U.S. government, which is pursuing leakers like never before.
News organizations, like most companies, probably aren’t doing enough to close the gaps in their systems. Cybersecurity reports routinely show that most companies, media or otherwise, have not taken basic security steps, such as keeping patches up to date, requiring strong passwords, and having a cyber-response plan ready in case of attack.
But a lot—especially in terms of protecting sources—comes back to the individual reporter. The CPJ has a security guide (PDF) for journalists: “Good information security is rarely about fending off sophisticated cyber attacks and Hollywood-style hackers,” the guide says. “It’s about understanding the motives and capabilities of those who might want to attack you, and developing consistent habits based on those assessments.” Those habits may include encrypting your e-mail, using a virtual private network or the free anonymizing Tor network when using the Internet, or encrypting specific data on your laptop. The CPJ also has a blog on security that looks at challenges in specific regions.
Google’s researchers are simply telling us what we already know: We’ve all got to do better.