A multidimensional approach to journalism security

The security community is continuously changing, growing, and learning from each other to better position the world against cyberthreats. In the latest post of our Community Voices blog series, Microsoft Security Senior Product Marketing Manager Brooke Lynn Weenig talks with Runa Sandvik, Former Senior Director of Information Security at The New York Times and member of CISA’s Technical Advisory Council. She recently was interviewed about her new startup, Granitt, in TechCrunch.1 The thoughts below reflect Runa’s views, not the views of Microsoft, and are not legal advice. In this blog post, Runa talks about security for journalists and media organizations.

Brooke: How did you get into cybersecurity?

Runa: I got my first computer when I was 15. I studied for a bachelor’s in computer science at a university in Norway, where I’m from. One thing I really enjoy about this industry is that within computer science and cybersecurity, there are so many different challenges to take on. There are so many problems that you can work on and so many things to be curious about and I’ve always really loved that.

During the summer of 2009, before the last year of my bachelor’s, I worked for the Tor Project as part of Google Summer of Code. Once that internship wrapped up, I stayed on with the Tor project and I volunteered to continue maintaining my project. Over time, Tor offered me a part-time contract and later, a full-time contract.

A lot of the work that I do today has been shaped by the four years that I spent working with the Tor project. When I first heard about Tor, I thought it was cool that you could be anonymous online by using a piece of technology. I didn’t consider who’s using it or for what reason. But over the four years with Tor, I got to meet not only other people working in the same space but also people around the world who told me about their experiences with the tool and what it enabled them to do, which was a hugely positive experience for me.

Brooke: What excites you the most about protecting journalists?

Runa: Around 2011, four projects got funding to train reporters on how to use the Tor browser and I ended up leading that project. We were building out a curriculum and we felt very quickly that it was not super helpful to teach someone how to use a Tor browser to be safe online if they’re not also familiar with general security best practices, like passwords and two-factor authentication and the importance of software updates. So, we built a curriculum around that. I later took that experience with me to the Freedom of the Press Foundation and The New York Times.

The work that I’ve done with journalists was something that I stumbled into, but looking at it now, I think investigative journalism has a lot of the same themes as security research. It has the same puzzles, same challenges, and the same digging that gets me really curious and really interested. It also has this incredibly important mission behind it.

Brooke: What do you do to protect journalists and at-risk groups or organizations?

Runa: For an individual to work safely or securely, I consider digital security, physical security, emotional safety, and legal issues. Journalism security really needs to encompass all four buckets, so some of the work that I do has been one-on-one discussions with reporters who want everyday security guidance, and I help them figure out what they can do to improve. They are usually preparing for a specific investigative project or preparing for a trip to an at-risk area.

I have worked closely with groups of people at media organizations that are a mix of reporters, IT, security, and legal to produce a security plan based on the challenges they face and the kind of support the newsroom needs. Years ago, if you were a big enterprise like The New York Times, Washington Post, Microsoft, or Google, there were a lot of big, complex cybersecurity frameworks to help you get a baseline and the steps to take to improve moving forward.

If you’re an individual looking to improve your security, there are guides from the Electronic Frontier Foundation and the Freedom of the Press Foundation giving you information like “here’s how you use a password manager” and “here’s how you set up two-factor authentication,” but Ford Foundation fellow, Matt Mitchell, found that if you’re a small organization or small team, there’s not a good option available. He put together a committee to develop the Ford Foundation Cybersecurity Assessment Tool, which is designed for smaller organizations. It is a really effective way to figure out where I am today and where the focus should be on the next year or two.

Brooke: What are the biggest threats you’ve seen in your line of work?

Runa: If we are talking about security issues that a journalist as an individual might face, we could talk about online account takeover and phishing scams. I recently gave a talk at Paranoia in Oslo about how the media gets hacked and the root cause behind all these issues. If we are talking about the organization that the journalist works for, it comes down to a lack of two-factor authentication credential stuffing, poor passwords, phishing, and outdated systems.

Over the years, my work has focused on the individual, but 10 years ago, Tor was clunky and complex. We had VPNs. We had tools to fully encrypt the drive in your laptop, but they were clunky to use. There was a long text of steps to get it all up and running. People needed a lot of help to use it. These days, we have all the tools and they’re either free or not super expensive. What is missing now is that buy-in from leadership to create the processes and the workflows to ensure that the newsrooms have all these tools provided to them. Currently, it is more of a building-the-bridges type of challenge. I don’t think we are necessarily missing any tools. We just need to figure out how to piece it together.

Brooke: What are the biggest security challenges for journalists?

Runa: A journalist is a journalist all day, every day. That is not just a job, it is an identity. They are journalists, whether they are in a movie theater with a personal phone or at work with their company laptop. Regardless of the device they are using, the time of day, and location in the world, they are still journalists, and they are going to report if there is something to report on. In a corporate context, historically, we have been focused on securing corporate accounts, corporate systems, and corporate devices, but for roles like journalism and other activist groups, which starts to break down a bit. I think there needs to be a greater conversation around how we go about securing identities as opposed to just the 9-to-5 corporate bits and bobs.

Another big challenge is building sufficient support on the business side of the company to be able to provide adequate support to the newsroom. Reporters who I have talked to are not questioning that they need to be more secure and that they need processes or tools. Once that is provided, they are very willing to try things. You just need to build that bridge and help the business side understand the challenges in the newsroom and the potential challenges that presents for the business, whether from a physical, digital, or legal standpoint, and then produce ways to address that.

Supporting the work that the newsroom is doing means developing products, developing the content management system (CMS), getting stories out, producing new ways to report, retaining subscribers, and funding reporters who go out on investigative trips. All of these things are incredibly important and sometimes more important than security. The challenge is where do I spend my resources knowing that everything is so strapped?

There are a lot of diverse ways that you could improve security at your organization and even if you do not have the resources currently for the best and biggest and greatest product, there are still small things that you can do. It is a matter of figuring out how to focus on this one thing you do have to focus on, even if it’s just one person, two people, or a small team. At this point, not focusing on cybersecurity is not an option.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

1Runa Sandvik’s new startup Granitt secures at-risk people from hackers and nation states, Zack Whittaker. July 15, 2022.