Brooke: How did you get into cybersecurity?

Runa: I got my first computer when I was 15. I studied for a bachelor’s in computer science at a university in Norway, where I’m from. One thing I really enjoy about this industry is that within computer science and cybersecurity, there are so many different challenges to take on. There are so many problems that you can work on and so many things to be curious about and I’ve always really loved that.

During the summer of 2009, before the last year of my bachelor’s, I worked for the Tor Project as part of Google Summer of Code. Once that internship wrapped up, I stayed on with the Tor project and I volunteered to continue maintaining my project. Over time, Tor offered me a part-time contract and later, a full-time contract.

A lot of the work that I do today has been shaped by the four years that I spent working with the Tor project. When I first heard about Tor, I thought it was cool that you could be anonymous online by using a piece of technology. I didn’t consider who’s using it or for what reason. But over the four years with Tor, I got to meet not only other people working in the same space but also people around the world who told me about their experiences with the tool and what it enabled them to do, which was a hugely positive experience for me.

Brooke: What excites you the most about protecting journalists?

Runa: Around 2011, four projects got funding to train reporters on how to use the Tor browser and I ended up leading that project. We were building out a curriculum and we felt very quickly that it was not super helpful to teach someone how to use a Tor browser to be safe online if they’re not also familiar with general security best practices, like passwords and two-factor authentication and the importance of software updates. So, we built a curriculum around that. I later took that experience with me to the Freedom of the Press Foundation and The New York Times.

The work that I’ve done with journalists was something that I stumbled into, but looking at it now, I think investigative journalism has a lot of the same themes as security research. It has the same puzzles, same challenges, and the same digging that gets me really curious and really interested. It also has this incredibly important mission behind it.

Brooke: What do you do to protect journalists and at-risk groups or organizations?

Runa: For an individual to work safely or securely, I consider digital security, physical security, emotional safety, and legal issues. Journalism security really needs to encompass all four buckets, so some of the work that I do has been one-on-one discussions with reporters who want everyday security guidance, and I help them figure out what they can do to improve. They are usually preparing for a specific investigative project or preparing for a trip to an at-risk area.

I have worked closely with groups of people at media organizations that are a mix of reporters, IT, security, and legal to produce a security plan based on the challenges they face and the kind of support the newsroom needs. Years ago, if you were a big enterprise like The New York Times, Washington Post, Microsoft, or Google, there were a lot of big, complex cybersecurity frameworks to help you get a baseline and the steps to take to improve moving forward.

If you’re an individual looking to improve your security, there are guides from the Electronic Frontier Foundation and the Freedom of the Press Foundation giving you information like “here’s how you use a password manager” and “here’s how you set up two-factor authentication,” but Ford Foundation fellow, Matt Mitchell, found that if you’re a small organization or small team, there’s not a good option available. He put together a committee to develop the Ford Foundation Cybersecurity Assessment Tool, which is designed for smaller organizations. It is a really effective way to figure out where I am today and where the focus should be on the next year or two.

Brooke: What are the biggest threats you’ve seen in your line of work?

Runa: If we are talking about security issues that a journalist as an individual might face, we could talk about online account takeover and phishing scams. I recently gave a talk at Paranoia in Oslo about how the media gets hacked and the root cause behind all these issues. If we are talking about the organization that the journalist works for, it comes down to a lack of two-factor authentication credential stuffing, poor passwords, phishing, and outdated systems.

Over the years, my work has focused on the individual, but 10 years ago, Tor was clunky and complex. We had VPNs. We had tools to fully encrypt the drive in your laptop, but they were clunky to use. There was a long text of steps to get it all up and running. People needed a lot of help to use it. These days, we have all the tools and they’re either free or not super expensive. What is missing now is that buy-in from leadership to create the processes and the workflows to ensure that the newsrooms have all these tools provided to them. Currently, it is more of a building-the-bridges type of challenge. I don’t think we are necessarily missing any tools. We just need to figure out how to piece it together.

Brooke: What are the biggest security challenges for journalists?

Runa: A journalist is a journalist all day, every day. That is not just a job, it is an identity. They are journalists, whether they are in a movie theater with a personal phone or at work with their company laptop. Regardless of the device they are using, the time of day, and location in the world, they are still journalists, and they are going to report if there is something to report on. In a corporate context, historically, we have been focused on securing corporate accounts, corporate systems, and corporate devices, but for roles like journalism and other activist groups, which starts to break down a bit. I think there needs to be a greater conversation around how we go about securing identities as opposed to just the 9-to-5 corporate bits and bobs.

Another big challenge is building sufficient support on the business side of the company to be able to provide adequate support to the newsroom. Reporters who I have talked to are not questioning that they need to be more secure and that they need processes or tools. Once that is provided, they are very willing to try things. You just need to build that bridge and help the business side understand the challenges in the newsroom and the potential challenges that presents for the business, whether from a physical, digital, or legal standpoint, and then produce ways to address that.

Supporting the work that the newsroom is doing means developing products, developing the content management system (CMS), getting stories out, producing new ways to report, retaining subscribers, and funding reporters who go out on investigative trips. All of these things are incredibly important and sometimes more important than security. The challenge is where do I spend my resources knowing that everything is so strapped?

There are a lot of diverse ways that you could improve security at your organization and even if you do not have the resources currently for the best and biggest and greatest product, there are still small things that you can do. It is a matter of figuring out how to focus on this one thing you do have to focus on, even if it’s just one person, two people, or a small team. At this point, not focusing on cybersecurity is not an option.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Runa Sandvik’s new startup Granitt secures at-risk people from hackers and nation states, Zack Whittaker. July 15, 2022.

The post A multidimensional approach to journalism security appeared first on Microsoft Security Blog.

Natalia: What is journalistic security? 

Runa: Being a reporter is not a 9-to-5 job. You’re not just a reporter when you step through the doors of The Washington Post or The Wall Street Journal or CNN. It becomes something that you do before work, at the office, at home, or after work at the bar. In some ways, you’re always on the job, so securing a journalist is about securing their life and identity. You’re not just securing the accounts and the systems that they’re using at work, which would fall under the enterprise; you’re securing the accounts and the systems that they use on a personal basis.

In addition, reporters travel. They cover protests and war zones. You will have to account for their physical and emotional safety. Journalistic security for me is effectively the umbrella term for digital security, physical security, and emotional safety.

Natalia: What is unique about securing a media organization?  

Runa: A media organization, whether it’s a smaller nonprofit newsroom or a larger enterprise, needs the same type of security tools and processes as any other organization. However, with a media organization, you must consider the impact. We’re not just talking about data belonging to the enterprise being encrypted or stolen and dumped online; we’re also talking about data from subscribers, readers, and sources. As a result, the potential ramifications of an attack against a media organization—whether it’s a targeted attack, like a nation-state actor looking for the sources of a story, or opportunistic ransomware—can be greater and involve far more people in a more sensitive context. Privacy-preserving monitoring is also important for newsrooms. I believe in helping the journalist understand what’s happening on their devices. If we aren’t teaching them to threat model and think about the digital security risks of their stories and communications with sources, we’re going to have a gap.

The other major difference is the pace. Newsrooms are incredibly deadline-driven, and security’s job is to enable journalists to do their job safely, not block their work. If a journalist tells their security team that they’re going to North Korea and need to secure setup, the team needs to shift their to-do list around to accommodate that—whether it means providing training or new hardware.

Natalia: What’s the biggest challenge to securing a media organization? 

Runa: The one thing that continues to be a challenge for media organizations is the lack of trust and collaboration between the internal IT and security teams and the newsroom. The newsroom doesn’t necessarily trust or go to those departments for help or tools to secure reporters, their material, and their work. If you’re building a defensive posture, you can’t secure what you don’t understand. If you don’t have a good relationship with the newsroom or know what kind of work they do, you’re going to have gaps. I’ve found it helpful to involve the newsroom when making decisions around tools and processes that impact their work. Involving the newsroom in discussions that affect it, even if they’re technical, will do a lot to build a trusting relationship.

Natalia: How do you build a process to evaluate and mitigate risk?  

Runa: If you’re writing about the best chocolate chip cookies, you’re probably fine. You’re probably not going to run into any issues with sources or harassment. If you decide to report on politics though, chances are you’ll face the risk of online threats and harassment that could escalate to physical threats and harassment. The context for a specific project and story becomes a set of risks that need to be accounted for.

Typically, the physical risk assessment process has already been established. Newsrooms have been sending reporters on risky assignments, such as to war zones, for a long time. In most newsrooms, a reporter will talk to the editor and assess the risk of any work-related travel. They get input from their physical security adviser, legal, and HR.

Building a similar process for the digital space becomes a challenge of education and awareness. In some cases, newsrooms have established and documented well-functioning processes, and security teams can become part of that decision tree. In other cases, you must start by introducing yourself to the newsroom and making sure people know you’re there to help. I’ve talked with news organizations in the United States, United Kingdom, and Norway that have cross-functional teams with representatives from the newsroom, IT, security, HR, communications, and legal to ensure no stories fall through the cracks.

Natalia: What processes, protocols, or technologies do you use to protect journalists and their investigations?

Runa: In a newsroom, you typically have “desks.” You have the investigations desk. You have style. You have sports. Different desks will have different needs from a technology and education perspective. Whenever I’m talking to a newsroom, I try to first cover security basics. We’re talking passwords, multifactor authentication updates, and phishing. I cover the baseline; then look at the kind of work each desk is doing to drill in more. For investigations, this could involve setting up a tool to receive tips from the public, or air-gapped (offline) machines to securely review information.

For international travel, it could involve establishing an internal process with the IT team so a journalist can quickly request a new laptop or a new phone. In many cases, the tools that end up being used are popular and well-known. The journalist usually must use the same tools as the source.

Making the security team available to the newsroom also goes a long way. Reporters know how to ask questions—whether they’re doing an interview or trying to understand how a password manager works, or how to use a YubiKey. Give them an opportunity to ask questions through an internal chat channel or weekly meetings. It all goes back to relationship building and awareness.

Natalia: How has working in journalistic security shaped your perspective on security? 

Runa: When I first started working for The Tor Project, which develops free and open-source software for online anonymity, I was curious about how it’s possible to use lines of code to achieve that. I didn’t think much about the people who use it or what they use it for. But through that work, I learned a lot about the global impact The Tor Project has: from activists and journalists to security researchers and law enforcement. In interacting with reporters, I had to accept that there’s a difference between the ideal setup from a security standpoint and what’s going to get the job done. It would be great to give everyone a laptop with Tails or Qubes OS configured, but are they going to be able to use it for their work? At what point do we say that we’ve found a happy middle between securing the data or systems, enabling the reporter, and accepting risk?

Natalia: How can we continue to enhance security in the newsroom?  

Runa: We need more of a focus on security attacks that target and impact media organizations and reporters. Typically, when you read information about security attacks, it usually highlights the industries affected. You’ll see references to government, education, and healthcare, but what about media?

If you’re working at a media organization trying to understand what kind of digital threats you’re facing, where do you go to find information? I would love to see an organization or individual build a resource with a timeline of the kind of digital attacks we’ve seen against media organizations in the United States from 2015 to 2021. This would be a way to get a pulse on what’s happening to educate journalists of the risks, identify impact and risk to operations, and inform leadership.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How security can keep media and sources safe appeared first on Microsoft Security Blog.