At the Center for Investigative Journalism’s Logan Symposium event last week, he explained what followed the publication of a negative article about the company: he became embroiled in a conspiracy that his reporting was an attempt to drive down, and then take advantage of, Wirecard stock market price.
As recently as last year, there were criminal investigations (since dropped) to try and control this narrative. But at first, McCrum would find out that he became a victim of eavesdropping devices, IMI-catchers, to target his phone directly.
He does not know how effective these efforts were but he and his colleague became subject to an intense and highly personalised phishing campaign. Emails were convincing; they resembled LinkedIn messages, YouTube links sent by colleagues and photo albums using Facebook pictures. He realised how real the threat was when he saw his own emails in one attempt involving a false whistleblower.
"Paranoia takes hold," McCrum reflects at the event. "Operating under that sense of attack, you're worried about family, certainly lots of people in the Wirecard [case] targetted spouses. That constant sense of paranoia impedes the reporting as well."
Stopping the contagion
McCrum first needed to 'bunker down' for three months, working on an 'off-the-grid laptop'. A breach of security makes it hard to contact sources and it also deeply affects the entire newsroom.
"We’ve spent many years working with journalists who have been targetted," says John Scott-Railton, senior researcher at The University of Toronto's Citizen Lab, an academic group focused on the study of digital threats to civil society.
"You feel like you’re bringing risks to the party and you don’t know where your contagion begins and ends. It changes your behaviour, in so many cases, it’s the targetted version of what repressive regimes try to do, which is that they try to convince you that they can listen to your calls and they’re all-knowing."
Equipping reporters to work online
There are other high-profile examples of 'hack-for-hire' operations, notoriously the case of BellTroX InfoTech Services which targetted journalists as well as other professions.
But the truth is that cyber threats to journalists are no longer just restricted to those reporting on digital security, said Runa Sandvik, a digital security expert for journalists. She has spent nine years in this space, having worked for The New York Times, Freedom of the Press Foundation and The Tor Project.
"Early on, my sense was that digital security was something that only certain reporters needed", she says, adding that awareness might be increasing but there is still a disconnect between the newsroom and the business side of the company. War correspondents, for instance, go out into the field with a built-in process: insurance, training, paperwork and equipment. Many reporters working online do not have the equivalent armour.
Instead, journalists develop the necessary protections and precautions through connections and experience but this is not good enough in 2020.
"Especially if you work for an established media organisation, those shouldn't be things you have to ad hoc figure out along the way, it should be an established process within the media organisation," Sandvik says.
New threats to cybersecurity
It becomes more pressing when you consider the variety of sources from which a cyberattack can come. It is not just individual hackers or companies with bad motives, but government spyware is also a concern, said Lorenzo Franceschi-Bicchierai, senior staff writer at Motherboard. His beat is hacking, information security, surveillance and privacy.
The examples of FinFisher and Hacking Team as 'government-hacking-as-a-service' make an uneasy prospect for journalists, especially those operating in limited press freedom countries. This software has historically seeped out to regions in South America and the Middle East.
Franceschi-Bicchierai said there are some limitations in terms of how Western governments can use surveillance and hacking software. Companies are also restricted to where they can export to and face sanctions for violations. But it remains an under-regulated area and the market is "secretive by design".
"On both sides, you have the customer and provider that don't want to talk about anything," he explains. "The same is true with private customers because companies don't want to get caught using, probably, illegal services."
Having a united front
What protection do reporters need? McCrum's example is a salient one because the most common form of hacking is phishing. So, basic cybersecurity is a start; two-step authentication, unique passwords and updating software regularly.
Beyond that, reporters may need separate workflows and devices for sensitive work or specific communications. But crucially, newsrooms need a united front on cybersecurity, as the entire team is only as strong as its weakest link.
"In some cases, it has been helpful to illustrate how targetting one individual could impact the whole newsroom and the entire business. Those examples are not typically found in the world of mercenaries and spies, but in ransomware," Sandvik explains.
"It only takes one individual to click a link, run a piece of software or open a document before the entire newsroom and company are affected by it."
McCrum said that FT shares this perspective, emphasising how one breach can give a hacker access to sensitive information on the CMS and internal emails.
Focus on why security matters, Sandvik added. In a newsroom, it can be helpful to tailor and focus the message around protecting everybody's sources.
"There is a growing industry, it has proliferated globally, and it is bringing risk to your beat and you,” concludes Scott-Railton.
Join us at our next digital journalism conference Newsrewired from 1 December 2020 for four days of industry expert panel discussions and workshops. Visit newsrewired.com for event agenda and tickets.
Free daily newsletter
- Opening the black box: algorithms, big data and artificial intelligence
- Financial Times' three-step plan to drive subscriptions
- Six simple steps to beef up your cybersecurity while WFH
- 'Coronabump' provides an opportunity for news outlets to grow loyal audiences
- 'Brexit bump' or news avoidance? Here is how Brexit has affected the UK press