Credit: Photo by Adi Goldstein on Unsplash

When investigative journalist of The Financial Times (FT) Dan McCrum started poking around a multi-billion dollar payment processing company Wirecard in 2015, he would soon have a target on his back.

At the Center for Investigative Journalism’s Logan Symposium event last week, he explained what followed the publication of a negative article about the company: he became embroiled in a conspiracy that his reporting was an attempt to drive down, and then take advantage of, Wirecard stock market price.

As recently as last year, there were criminal investigations (since dropped) to try and control this narrative. But at first, McCrum would find out that he became a victim of eavesdropping devices, IMI-catchers, to target his phone directly.

He does not know how effective these efforts were but he and his colleague became subject to an intense and highly personalised phishing campaign. Emails were convincing; they resembled LinkedIn messages, YouTube links sent by colleagues and photo albums using Facebook pictures. He realised how real the threat was when he saw his own emails in one attempt involving a false whistleblower.

"Paranoia takes hold," McCrum reflects at the event. "Operating under that sense of attack, you're worried about family, certainly lots of people in the Wirecard [case] targetted spouses. That constant sense of paranoia impedes the reporting as well."

Stopping the contagion

McCrum first needed to 'bunker down' for three months, working on an 'off-the-grid laptop'. A breach of security makes it hard to contact sources and it also deeply affects the entire newsroom.

"We’ve spent many years working with journalists who have been targetted," says John Scott-Railton, senior researcher at The University of Toronto's Citizen Lab, an academic group focused on the study of digital threats to civil society.

"You feel like you’re bringing risks to the party and you don’t know where your contagion begins and ends. It changes your behaviour, in so many cases, it’s the targetted version of what repressive regimes try to do, which is that they try to convince you that they can listen to your calls and they’re all-knowing."

Equipping reporters to work online

There are other high-profile examples of 'hack-for-hire' operations, notoriously the case of BellTroX InfoTech Services which targetted journalists as well as other professions.

But the truth is that cyber threats to journalists are no longer just restricted to those reporting on digital security, said Runa Sandvik, a digital security expert for journalists. She has spent nine years in this space, having worked for The New York Times, Freedom of the Press Foundation and The Tor Project.

"Early on, my sense was that digital security was something that only certain reporters needed", she says, adding that awareness might be increasing but there is still a disconnect between the newsroom and the business side of the company. War correspondents, for instance, go out into the field with a built-in process: insurance, training, paperwork and equipment. Many reporters working online do not have the equivalent armour.

Instead, journalists develop the necessary protections and precautions through connections and experience but this is not good enough in 2020.

"Especially if you work for an established media organisation, those shouldn't be things you have to ad hoc figure out along the way, it should be an established process within the media organisation," Sandvik says.

New threats to cybersecurity

It becomes more pressing when you consider the variety of sources from which a cyberattack can come. It is not just individual hackers or companies with bad motives, but government spyware is also a concern, said Lorenzo Franceschi-Bicchierai, senior staff writer at Motherboard. His beat is hacking, information security, surveillance and privacy.

The examples of FinFisher and Hacking Team as 'government-hacking-as-a-service' make an uneasy prospect for journalists, especially those operating in limited press freedom countries. This software has historically seeped out to regions in South America and the Middle East.

Franceschi-Bicchierai said there are some limitations in terms of how Western governments can use surveillance and hacking software. Companies are also restricted to where they can export to and face sanctions for violations. But it remains an under-regulated area and the market is "secretive by design".

"On both sides, you have the customer and provider that don't want to talk about anything," he explains. "The same is true with private customers because companies don't want to get caught using, probably, illegal services."

Having a united front

What protection do reporters need? McCrum's example is a salient one because the most common form of hacking is phishing. So, basic cybersecurity is a start; two-step authentication, unique passwords and updating software regularly.

Beyond that, reporters may need separate workflows and devices for sensitive work or specific communications. But crucially, newsrooms need a united front on cybersecurity, as the entire team is only as strong as its weakest link.

"In some cases, it has been helpful to illustrate how targetting one individual could impact the whole newsroom and the entire business. Those examples are not typically found in the world of mercenaries and spies, but in ransomware," Sandvik explains.

"It only takes one individual to click a link, run a piece of software or open a document before the entire newsroom and company are affected by it."

McCrum said that FT shares this perspective, emphasising how one breach can give a hacker access to sensitive information on the CMS and internal emails.

Focus on why security matters, Sandvik added. In a newsroom, it can be helpful to tailor and focus the message around protecting everybody's sources.

"There is a growing industry, it has proliferated globally, and it is bringing risk to your beat and you,” concludes Scott-Railton.

Join us at our next digital journalism conference Newsrewired from 1 December 2020 for four days of industry expert panel discussions and workshops. Visit newsrewired.com for event agenda and tickets.

Free daily newsletter

If you like our news and feature articles, you can sign up to receive our free daily (Mon-Fri) email newsletter (mobile friendly).