Protecting Journalism and Free Speech
Ann Johnson: Welcome to Afternoon Cyber Tea with Ann Johnson, where we speak with some of the biggest security influencers in the industry about what is shaping the cyber landscape and what is top of mind for the C-suite and other key security decision-makers I'm Ann Johnson. And today, I'm joined by Runa Sandvik. Runa is a modern-day hacker and computer security expert. She also has a reputation as a staunch proponent of strong encryption. In March of 2016, Runa was hired by The New York Times as their senior director of information security. During her tenure with the Times, she was responsible for instituting new high-tech security measures, keeping the publication's website protected and preventing cyberattacks on journalists - a crime that is becoming increasingly prevalent.
Ann Johnson: As a privacy and security researcher working at the intersection of technology, law and policy, Runa also teaches digital security to journalists and helps media organizations improve their security posture, something that is extremely important as we look to combat disinformation and protect our information channels. Welcome to Afternoon Cyber Tea, Runa.
Runa Sandvik: Thank you. Thank you for having me.
Ann Johnson: You know, Runa, there's been a number of published reports focused on the increase of cyberattacks on journalists. For example, a report focused on Russian media by Justice for Journalists showed that in the era from 2017 to 2019, the number of non-physical attacks and-or cyberattacks rose by 48%. Media companies are some of the most visible targets on the cyberthreat landscape, and there are several reasons why criminals seek to take advantage of them. What are some of the concerns that you have and perhaps The New York Times had when you came on board?
Runa Sandvik: I think one of the biggest challenges is the - like you said, it's the increase in attack then coupled with the lack of dedicated focus within media orgs on these particular attacks and the potential ways in which that you could be safer online. Today, like 2021, we have all of these, like, tools and apps and pieces of software for secure communication and account security and storing documents. So it's not that we're lacking the tools or the apps. It's just that we're lacking dedicated focus on processes and workflows and communicating that out to an audience that really would need to listen and to, like, take it in. So you need to communicate that with a very specific message that's going to land with the audience.
Ann Johnson: I think that that's - that's the challenge, right, is that communication and making sure that you're speaking in terms of the audience can understand.
Runa Sandvik: There's also been a lot written over the years about digital attacks on media organizations and freelance reporters, but I have still not seen any company push out any sort of dedicated stance on attacks against the media. Like, how often does it happen? Where does it happen? What are we seeing? Is it more phishing or is it more malware? Is it account takeover? Is it NSO-style exploits on your phone? So we're seeing all of these different reports from different groups, but I would love to see a more sort of dedicated focus from some group around exactly what digital attacks on media looks like.
Ann Johnson: You know, that makes a lot of sense. And by the - you know, before I get into the next question, I want to ask you, I don't see a lot of reporting on it, right? I don't see - you know, and I follow the industry really closely. I don't see a lot of reporting on digital attacks on journalists and what that looks like and the raising of awareness. So it seems like there's definitely a need there.
Runa Sandvik: Yeah, definitely.
Ann Johnson: So, you know, you are credited with implementing various new security advancements at the Times, including things like two-factor authentication for staffers logging into to site, safer communication methods, advanced security for subscribers and more. And another project I know you worked on was the tips line, which allows people to confidentially send tips to Times journalists. One example I'd heard was when the FBI raided Michael Cohen's office, there was a tip to the New York Times investigations desk via encrypted email that allowed them to break the story first. So whilst it would be great to have you talk us through that process - and did you believe it would help produce such a monumental story? - can you share with us first what led you to believe you needed to implement these new security measures, the needs that you saw?
Runa Sandvik: So back then - this was late 2016 - there wasn't a way for sources to contact the newsroom at The New York Times. If a source wanted to communicate something to a reporter at The New York Times, sure, you could send a letter in the mail to The New York Times. But more likely, you would have to first find the reporter that you wanted to communicate with. You would somehow need to get in touch with them, need to figure out how to do so safely and then also hope that they actually check their inbox or checked the whatever number you messaged, right? And by then providing this secure tip line, the Times gave the public a way to send information to The New York Times, the newsroom. And the Times then dedicated a team of reporters to then check submissions, respond to sources, make sure that the information was passed on to the right team in the newsroom and make sure that, like, all of this was actually followed up on.
Ann Johnson: Did you run into challenges? And I don't mean because people didn't want to do these things, but people just not understanding the technology.
Runa Sandvik: I can't say that I did. I think one of the things that The Times did, which was really clever back then, was that the team that ultimately set up the tips line was a cross-functional group of people. So you had the editorial lead from the newsroom. You had me representing security. You had someone representing IT and networking. And you had the reporters who were ultimately going to be the - sort of doing the day-to-day work for checking submissions and figuring out what to do with the stuff that came in and sort of doing that initial sorting of, is it spam? Is it a cat photo? Is it something super juicy? And so I think by having all of these stakeholders in the room from the get-go, it was more a matter of, how are we going to get this done than are we going to get it done or should we get it done?
Ann Johnson: So that's fantastic. And we often talk in cybersecurity about the need to get people on board early and to explain to them the why of what we're doing. And in doing that, it sends - tends to clear the path to the what we need to do. So I love that you took that approach.
Runa Sandvik: Oh, yeah. It was a much more fun project to work on because we didn't have to have that political back and forth of, like, are we going to do it? Are we not going to do it? And how are we going to do it? Like, everyone was, like, really, really clear on the end goal and the mission and the purpose and just the - being really excited about the potential that it had. Like, we didn't know how quickly we would get any interesting tips. We didn't know whether we would be flooded with cat photos or receive something that would be super, super helpful and lead to, like, a new Pulitzer Prize. But the opportunity and the possibility and the what if, I think, had a lot of people really, really excited about it.
Ann Johnson: That's outstanding. Also, I know that besides protecting the employees of The Times, you also placed measures in place to protect the source and, you know, which is - in the world of journalism, whether it's modern journalism or older journalism, sources are so incredibly important. When did you first realize that there were opportunities to better protect the sources, and what were some of the technical challenges you've traced when trying to complete that project?
Runa Sandvik: It's a good question. I was sort of thinking about, like, whether or not there - for me, historically - was a point when the source also became important or if it just always was. I think back in the day - like, 2011, 2012 - I did a lot of work securing freelance reporters. So independent reporters in Southeast Asia and in the Middle East. And at that point, you're focusing on securing an individual. So I see securing a journalist as securing an identity and securing the work that they're doing 24/7.
Runa Sandvik: Journalism goes beyond just the corporate accounts and corporate systems that you're using between the hours of 9 to 5. So when we're then talking about securing an individual and an identity, we are looking at securing corporate email and their personal social media and their personal laptop, as well as their corporate laptop. And because the tools and techniques that you're using are the ones that are freely available - some cases open source - anyone and everyone can use them, getting that information out will just also benefit the public and then any potential sources.
Runa Sandvik: So I think that, for me, by extension, it just became something that was a no-brainer. There wasn't a question about, do we need to also secure the source? We just need to secure the public, really, because anyone can be a source at any point in time.
Ann Johnson: That makes perfect sense, and protecting them is obviously going to keep them both safe, but also there's a reputation - reputational risk for the paper there - right? - that if their sources get leaked, people aren't going to want to be sources, that it will be very difficult.
Runa Sandvik: Exactly.
Ann Johnson: So journalists worldwide will continue to do the type of work that places them under various threats. So with newsroom shrinking and budgets stretched so thin, do journalists today have the resources that they need to not only conduct their day-to-day resource, but to do so without the threat of cybersecurity?
Runa Sandvik: I don't know if the answer to that is yes. Like, I think that there's definitely things that both individual reporters can do to improve their online security. There are things that nonprofit media orgs can do. There are things that more established in newsrooms can do. But also at the end of the day, the journalists will continue doing their work and will continue to report and research. And I think that it then does place - it gives us, as defenders then and as platforms, an opportunity to ensure that we are doing what we can to enable and support them to work safely. And just ensuring that they have the knowledge, they have the tools, they have the opportunity to take the steps that they could and should take.
Ann Johnson: That makes a lot of sense. And that probably leads to another question, which is, what type of skills do you think journalists need and should be learning, by the way, that don't necessarily require organizational funding when it comes to protecting themselves from a cybersecurity attack?
Runa Sandvik: I think there's two pieces to that. Freedom of the Press Foundation is actually working on a journalism school curriculum around exactly this topic, where I think some of the focus should absolutely be on what I would call the foundational security sort of best practice measures, where you have your password manager. You have two-factor authentication. You understand the importance of software updates. You can put some sort of thought around what to do with your accounts and your devices when you're traveling - and that you just sort of have, like, a good day-to-day workflow around all of those pieces.
Runa Sandvik: I think there's a separate part to this that then also starts touching on, what do you do for more specific projects, like if you're travelling to Qatar and you're interviewing someone? Or you happen to film something that the government didn't want you to film, and then that gear is confiscated at the border on your way home, like, how would you deal with that type of incident? How do you prep for something like that in advance? Now, that comes down to, like, actually talking about the type of trip that you're going to take before you actually go anywhere. But I think that planning and preparing for the work that you're about to take on, I think, is equally important.
Ann Johnson: I think that makes sense and, by the way, in any profession, right? And I recognize that a lot of the work that journalists do, they want to keep very quiet in advance. So there's - it's harder for them, right? Then they're going to have to do a lot of research themselves so that they can protect the confidentiality of whatever story it is.
Runa Sandvik: Exactly. It's sort of - it does, in many ways, become, like, yet another thing that they have to prep for. Like, when a reporter is preparing for what would be considered a high-risk assignment, many newsrooms already have a process in place for, like, talking to legal, talking to someone on masthead, talking to someone within HR who can figure out insurance and booking of the trip and all of those bits and pieces. And then now there is this, like, additional cybersecurity component to it, where they need to secure their online accounts. They need to secure their passwords. They need to think about the devices that they're taking with them. And the more we, the external parties or the supporting teams working within media organizations, can do to sort of streamline this and just make it the default part of the sort of initial workflow, I think, the better and the easier that's going to be for them.
Ann Johnson: That makes an awful lot of sense because they also aren't necessarily technologists, right? So let's try to make it really easy for them. They're becoming - everyone's becoming, increasingly, a digital native. I recognize that. But they aren't necessarily - their career isn't technology. So let's try to make it as easy as possible.
Runa Sandvik: Exactly.
Ann Johnson: So can we talk about this information for a minute? We know that the spread of disinformation is rampant. We know that journalists get a lot of sensitive information they possess and share with their audience that has the potential to create some large, you know, stories - right? - and large impact on - in the global landscape. What do you think the tech industry could be doing when it comes to protecting against disinformation? And how do you balance that, you know, with the responsibility of media agencies and their own, you know, security programs and how journalists behave?
Runa Sandvik: I think that is such a fascinating question because there is no one, single solution. And I don't think that the solution is purely policy-driven or purely a technical question, either. So I think it's sort of, like, a matter of figuring out, you know, what are the right levers to pull and how much, and how often, to sort of try and find some way to inform people about this challenge and some way to make progress, whatever that looks like. I think, one thing that I would love to see in that space would actually be directly from the media organizations, where, you know, over time - like, you can go back to, like, the 2016 election and just see how different media orgs handled that and how that was covered. And then you can try and look for, what kind of lessons did they learn after that? Was there any sort of acknowledgement publicly that things, perhaps, wasn't covered the way that they would have liked to cover things? Was there a discussion about how things could have been handled? Was there an acknowledgement internally that things could have been handled a different way?
Runa Sandvik: The really challenging part with sort of disinformation is that we don't necessarily - like, we talk about it being a thing. And you have platforms - like, Facebook is doing a lot of research around what that looks like, and disrupting different groups on their platform and pushing out a lot of really, really good research. But when disinformation then reaches the public, and it is spread by, say, a media organization, there's not a whole lot of acknowledgement later on that that has happened. And so I think that for that part of the communications chain, we do need a bit more transparency and openness around the fact that it is happening. It has happened. And it will continue to happen. So what are we going to do about it? How are we going to talk about it? And how are we going to actually learn from the past?
Ann Johnson: That makes a tremendous amount of sense. And it's interesting to me that a year ago, when I was recording this podcast, we never talked about disinformation. There obviously were people who were, you know, in the community that understood very deeply the intersection of disinformation and cybersecurity. But it's only starting to become really mainstream knowledge. And I'm talking about it on just about every "Afternoon Cyber Tea" that I record in some way or another. And I think there's going to be more and more realization over the intersection, not just in the actors, but of the motives.
Runa Sandvik: Exactly. Yeah.
Ann Johnson: So let's switch topics to you. You've recently launched a new research blog called "Glitch-Cat." What inspired you to start this new project?
Runa Sandvik: So I was attending a Mac malware conference called Objective by the Sea. And I think this was late September. And it might have been the first conference I attended in, like, two years. And it was just a - such an amazing space to be in with people who were just, like, really excited to see each other and just to be around people and new people and sharing their work and helping others sort of get up to speed. And it was just such a great community and a great experience that I realized that, for myself, I get a lot of personal value out of connecting with people and sharing what I'm up to and sharing what I'm learning. And in that way, giving people an opportunity to, like, either share things with me or teach me something new or find ways that we can collaborate on something.
Runa Sandvik: And I realized that for a long time, I just hadn't shared what I'm up to because - whatever reasons I had on my list. And I just sort of ended up on, like, let me just put up this, like, research plug so I have a place to put some content. Let me make sure that I write down the ideas that I have for future research and sort of hold myself accountable to sharing that with the public.
Ann Johnson: That makes a lot of sense, and you have a lot to share. Are there any other projects you're working on that you want to share with the audience?
Runa Sandvik: Not yet, but follow me on Twitter and something will pop up.
Ann Johnson: And what is your Twitter handle?
Runa Sandvik: @runasand.
Ann Johnson: Perfect. So the calendar new year is just around the corner as we record this. And I know a lot of folks are making predictions about 2022, but I want to do something different. I'd love for you to share with us what you are excited about in the world of cybersecurity when it comes to the year 2022.
Runa Sandvik: So I would love to then bring up some research that Meta published yesterday where they released this report on their sort of research into the surveillance-for-hire industry, which also then includes enforcements against surveillance entities from India, Israel, China and North Macedonia and recommendations for sort of holding the industry accountable. And I think that just seeing how companies and governments have sort of, for years, battled with this industry and - like, how do we deal with actors like HackingTeam or Gamma Group or NSO? Like, what do we do with these actors that are leveraging our platforms to target reporters in many cases?
Runa Sandvik: And so seeing now both, like, sanctions by the U.S. government focus on this industry and the problematic work that is coming out of this industry by entities in Europe and now also seeing private companies, like Meta, really take action to both publicize and share their research, but also actually take steps to ensure that those actors can no longer use your platform. Like, I think that that is fantastic work. It's something that's been a long time coming, and it's great to see that there's finally some movement and some progress in that space.
Ann Johnson: It is really good research, and I do think that we just - we need to make a lot more investment in that space, right? It's just this incredibly important growing topic. And I think that, you know, when you think about - and I'll say misinformation versus disinformation - there's a lot of misinformation out there when it comes to surveillance and cyber surveillance. And the more we can educate people and also educate them on how to protect themselves and the different settings they should be using and things like social media, it's really important.
Runa Sandvik: Exactly.
Ann Johnson: So I always like to send listeners off with a couple of actionable insights. Is there anything that you would like to - you know, two - or one or two key takeaways for our audience that you think will help them with their cyber challenges as you think about the future?
Runa Sandvik: My default is always to encourage people to set up a password manager and use two-factor authentication. I suspect that most, hopefully all, of the listeners of this podcast will have those pieces sorted already. So my other encouragement would then be to go and read this report that Meta published yesterday and try and get a sense of exactly what the challenges are within that industry, the types of work that is coming out of the surveillance-for-hire industry and how it affects people around the world. And then figure out, what is it that you can do to support the reporters who are at the end of this chain?
Ann Johnson: Makes perfect sense. Runa, thank you so much for taking the time to join Afternoon Cyber Tea today.
Runa Sandvik: Thank you for having me.
Ann Johnson: And many thanks to our audience for listening. Join us next time on Afternoon Cyber Tea.
Ann Johnson: So I asked Runa Sandvik to join me on Afternoon Cyber Tea because she's this incredibly deep intellectual who understands how media is targeted and how media is targeted with cyberattacks, not just physical attacks. And she's brought that expertise to her work, but she also spends her time devoted to that topic and the topic of surveillance, and there's just a lot of ground she covers that we wouldn't necessarily cover with other guests. It's an incredible listen. Runa met all my expectations, and I hope the audience really enjoys this podcast.