Hardly a week goes by without some major company announcing that it has been the victim of a cyber attack or hack. This spring, Netflix and HBO were each the targets of hackers, and this followed hacks at Sony and other media companies. In recent years, several of the largest newspapers around the world have also been the victims in such attacks.
In 2013, Chinese hackers conducted cyber attacks on the Washington Post and Bloomberg, while the Syrian Electronic Army (SEA) was responsible for 2014 attacks on The Independent, The London Evening Standard, The Chicago Tribune and The Telegraph. Chinese hackers have reportedly been targeting American news organizations going back as far as 2008.
Compared to breaches of retail websites—notably Target, Home Depot and T.J. Maxx—or of healthcare providers, the attacks against newspapers have largely been less costly to date. Moreover, while cyber attacks against news organizations have been high profile, the real growth sector for cyber criminals has remained in the healthcare sector, which saw attacks increase by 63 percent in 2016 according to research from TrapX Labs, a division of TrapX Security.
“Medical remains the holy grail because of the information that can be obtained,” said Nick Nascimento, founder of Sentage Systems, a managed IT services company. “However, the same methodology that is used in an attack on a healthcare provider could be utilized in any other sector. The methods and techniques are all the same.”
Despite what movies and television shows may suggest that hacking involves a deep understanding of computer systems, it isn’t actually the technology that is the weakest link in cyber security, it is the human element.
“The New York Times was hacked the same way that hackers targeted the electrical grid,” said Nascimento. “You can put up the best firewalls, but a lot of it comes down to social engineering, and this is why it is important to educate the employees.”
This is one part of the strategy to stop these breaches.
“You can do everything right, but one employee or outside contractor or vendor is all it takes to allow the breach to happen,” said Adam K. Levin, founder of CyberScout, cyber security and fraud protection service. “It comes down to that person clicking on the wrong link, which can introduce malware into a system and obtaining a password.”
Levin added that for that reason alone breaches have almost become a third certainty in life and that it will take more than technology to solve the problem.
For newspapers, there is a lot at risk. It could be the next frontier for hackers and other cyber criminals. If that’s the case, how can newspapers prevent and prepare for such an attack?
What Data is at Risk?
The first thing to understand is why hackers might even want to target a news organization. Most security experts say it goes back to the often misquoted line from career criminal Willy Sutton about robbing banks, as in “That’s where the money is.”
Newspapers may not have a lot money, but it has a 21st century currency—namely information.
Of course all major companies today have a lot of personal information either on their respective employees and/or customers. However, for media companies, this can include more than the usual employee data such as addresses, social security numbers and other personal information such as birthdays. Customer data can also include addresses and often credit card numbers.
“Media companies collect the same sort of data as other commercial organizations—names, addresses, passwords, billing info—so they might be targeted by hackers who collect and sell that information on the black market,” said Charles King, principal analyst at technology research firm Pund-IT.
A lot of that information doesn’t have the same value it once had. Credit card information and even social security numbers are so easily bought and sold on the dark web that the market is somewhat saturated. Hackers have become savvier in their attacks as a result.
“Many or most media companies store subscribers’ information in multiple sites so it’s difficult to imagine how that data could be held for ransom,” King said. “There are publishers that serve subscribers with specific political/philosophical outlooks whose data would be attractive to those on the opposite side or to government entities.”
All the News That Could Be Hacked
A bigger concern for newspapers and other media organizations is that hackers could opt to spread misinformation or so-called “fake news.” As the 2016 election cycle proved, there is real danger in the power of fake news, while more recently hackers and so-called hackavists have used cloned Twitter accounts to further spread false information.
To date, most cyber attacks have been brief and failed to actually be harmful, but were major newspaper sites and/or social media to be hacked in a concerted effort the results could be far more reaching. The United States suspects that Russian hackers may have planted fake news to create a crisis in Qatar earlier this year, and previously Russian hackers spread fake news during the crisis in the Ukraine.
“There is enormous potential damage that could be done by hackers who target newspapers,” said Levin. “Newspapers hold a revered place in our society, and imagine if one high placed story that wasn’t a real story showed up online it could set off a domino effect.”
The motivations that hackers might target a newspaper—or again perhaps just its social media account—could be for a plethora of reasons, ideologies or beliefs. As noted, it could range from a hackavist who may want to spread a personal opinion to efforts that could create an international crisis
“Hacks targeting news sources/companies occur for a number of reasons,” King said. “For example, the New York Times bureau in Shanghai was targeted by hackers—identified after forensic analysis—with support from China’s government, who were gathering information about research and news sources behind stories of which the government didn’t approve.
“More recently, Harvard’s news site was hacked by people who posted jokes about Mark Zuckerberg. Similarly, hackers broke into Qatar’s state news agency and posted pro-Israel stories. These motivations—which range from simple embarrassment to intelligence gathering—wouldn’t be effective for promulgating fake news or promoting systemic mistrust, but if they occurred often enough the site would be effectively discredited.”
The risk remains especially as newspapers often get the news before it is technically news. Information that was under embargo or under a non-disclosure agreement would certainly be the holy grail for hackers who understand the value of knowing tomorrow’s news early.
“This could include such information as pending mergers, pending government discussions, pending regulations, pending EPA ruling; this list goes on and on,” Levin said. “That information in the wrong hand could move markets or could just as easily result in a war. We have to accept that media outlets are in unique position to do good, or be used an as instrument do bad things if that data is accessed.”
Just as there is a concern that anyone with government security clearance could be at risk from blackmail, and that information they know could be compromised the same is true of reporters today.
“Reporters could be the target of bribery or extortion, just like anyone else, but what they know could be extremely valuable,” Levin said. “By targeting an individual rather than a newspaper’s servers, hackers could obtain some valuable information.”
Sources in the Crosshairs
Beyond the employee and customer information, as well as other confidential information that a newspaper’s computer network could contain, there is one other truly valued and protected item: the identity of confidential sources.
As long as people have been willing to share secrets with reporters, the identity of that source has been guarded often above and beyond the limits of the law. Reporters have literally gone to jail and in some cases died to protect a source. Hackers could change the balance entirely
Dr. Mark Pearson
“The era of the fully protected source has long passed, and even if journalists are experts in cyber security they could never guarantee a whistle blower absolute protection anymore,” said Dr. Mark Pearson, professor of journalism and social media at the Griffith Centre for Social and Cultural Research and the Law Futures Centre at Griffith University. “Journalists have an ethical obligation to tell a confidential source that their identity might well be traceable.”
Here the greatest weakness may not be social engineering or phishing scams because even if the information is kept off newspaper servers, there are too many other variables in the digital age.
“Journalists who travel may have to stop relying on email,” said Sentage Systems’ Nasscimento. “To protect sources might mean face-to-face communication.”
That might still not be enough.
“The combination of online and phone communications, geo-locational metadata, CCTV cameras and the ubiquity of audio and visual recording means that any initial and ongoing communication with endangered sources would need to be totally analog if it were not already on the radar of those who want to know,” Pearson said.
While the American NSA comes to mind as one group that seems to be an all-seeing eye, it is hardly the only such agency. Australia’s Federal Police had admitted earlier this year that it had accessed a journalist’s metadata in breach of protocol.
“In addition to avoiding naming a confidential source in court, or under duress, a reporter now needs to practice digital safety and security to ensure that surveillance, interception and data handover—increasingly justified by states on national security grounds don’t neutralize analog era source protection commitments,” said Julie Posetti, Fairfax Media head of digital editorial capability and author of the 2017 UNESCO study “Protecting Journalism Sources in the Digital Age.”
The same technology that is allowing for every conversation on devices to be captured could enable layers of encryption, but it isn’t clear if this will be enough to truly protect a source.
“This could involve the use of encrypted apps like Signal for more secure digital chat, and it should involve strong password protection across devices, along with awareness of metadata risks,” Posetti said.
However, “while particular encrypted apps or software might be favored by savvy reporters, we must remember that it is in all our interests that the authorities devise and implement new methods to crack such systems to combat international crime like money laundering, terrorism and child pornography syndicates,” Pearson said. “Journalists’ source protection is an inevitable collateral casualty of such cyber law enforcement advances.”
To this end, sources must be in on the efforts to ensure their protection. Posetti recommends that journalists consider training their sources in secure communications methods.
Identities of sources, even more than employee data or corporate information under embargo, could be the sort of thing that state sponsored hackers might be most interested in. The name of a source may have little actual financial value, so governments may be far more interested for any variety of nefarious reasons.
“This is a very valid concern,” Posetti said. “But hacking may not be required when mass surveillance and data retention policies potentially catch many confidential source based communications in the net. It’s a ‘brave new world’ and journalists, their editors, publishers, states and third party intermediaries have a responsibility to ensure that confidential sources and whistleblowers can continue to reveal information shared in the public trust.”
Such a danger is also obvious because there is already evidence it may have happened, said Pearson. “Recent cyber attacks upon various government agencies and corporations apparently by, or on behalf of, certain foreign powers is a small step away from a targeted search for the identity of sources opposed to their interests,” he explained. “As for corporate entities, The News of the World phone hacking scandal was an example of major corporations using illegal means to get confidential and private information for stories. If such tactics can be implemented by the media, they can also be used by corporations or governments against them.”
While such precautions by media companies are sensible, Pearson added that the more important imperative is adequate education of journalists about their individual responsibility to sources, awareness of the national security powers of agencies to access their metadata, and their clear and precise wording of negotiations with sources over confidentiality so that all parties are aware of the terms of the agreement and the real limitations on the protection of the source’s identity.