InfoSec: The New York Times Way
The New York Times has revealed the steps it takes to protect its journalists’ privacy and online security. Speaking to Vice on the CYBER podcast, Runa Sandvik, the newly-instated senior director of information security at The New York Times shed light on the tools and practices employed by the media organization to maximize safety for its staff.
The Importance of InfoSec
Securing information stored on computing and smart devices is a much-discussed topic.
In just 2018 alone, there were over twenty serious data breaches with millions of people’s personal details affected. The organizations targeted ranged from travel sites, social media websites, and online retailers. Sensitive personal data and financial information belonging to millions of people were compromised in the breaches.
In the cryptocurrency world, the importance of information security cannot be overstated. As a novice, the first piece of advice you will receive will be creating strong passwords for any accounts on cryptocurrency exchanges and private keys and seed phrases safe. Despite the oft-cited infosec pointers, there are still numerous accounts of users losing their digital assets.
Additionally, while security is a challenge for individual members of the digital asset community, more centralized parties such as exchange platforms or even blockchain-based startups have not escaped unscathed. It seems like a daily occurrence that a report about a theft or a data breach emanating from an exchange hack or negligent infosec practices emerges.
The media sector is no different. However, in the cryptocurrency sector, and most other industries, the stakes are mostly financial in nature, meaning that hackers resort to this sort of behavior to acquire some revenue stream or financial leverage. In journalism, such behavior is usually motivated by more sinister reasons and with more important objectives at stake.
For journalists, such as those working at The New York Times, the actions they take in the course of their work may expose them to dangerous situations where they are targeted either for merely reporting the happenings in their media pieces or for exposing previously unknown information.
For instance, an American NYT journalist, Kenneth Vogel, was threatened with bodily harm while a Mexican journalist, Javier Valdez, was shot dead after which his family and friends were targeted for a hack in the days following his death. While unfortunate, it is safe to say that most journalists go into their line of work with the knowledge that they may, at some point in their career, be in danger while discharging their duties.
However, for the sources who provide the sensitive and explosive material to journalists, the reality of a dangerous future is not one they had expected nor prepared for. Moreover, the danger is likely higher, if the information pertains to large organizations with money, influence, powerful people or governments.
For whistleblowers, their revelations generally expose them to heightened levels of danger and may even result in death. Therefore, for journalists, keeping the information on their devices secure can mean the difference between life and death for their sources.
Speaking on the CYBER Podcast, Runa Sandvik espoused the importance of infosec as part of a journalist’s duty to their source.
“How important is it for journalists to protect their sources? If you are going to argue that you would go to jail for a source, why wouldn’t you turn on two-factor for a source? Right. You can’t say that you are willing to take the steps that are necessary to protect a source if you are not doing that on the digital side as well.”
Data Security at The New York Times
The New York Times is no stranger to attempted hacks.
The media organization revealed that Chinese hackers had targeted it for months in 2012. Following their investigation into the riches amassed by relatives of the country’s prime minister Wen Jiabao, the media organization witnessed a barrage of attacks designed to infiltrate the system and allegedly gain access to data regarding the case.
Sandvik, who previously worked on the Tor project, an anonymous routing service designed to maximize online privacy, reveals that media organizations will typically see the same attack vectors from would-be attackers. She explained:
“Historically, The Times has been targeted by nation-state actors like China back in 2012. We also see whatever common adware, scam, bitcoin scam thing floating around. So whatever is hitting other media orgs, we are likely to see as well.”
Following the 2012 revelations, the organization has been more intentional with its security. The organization has put in several practices in place to maximize cybersecurity. The biggest of these is employee education. The organization has an onboarding process for new employees where best practices with regards to infosec are discussed.
She further explained that greater defenses are mounted for journalists.
“We do have the onboarding training that you get when you join the company. It is security awareness, I would say [the] basics. And then from there, we have additional info and then on top of that more targeted specific guidelines.”
Tips for Staying Safe
Sandvik is somewhat a celebrity in the information security world, because of her work at Tor, the fact that she once hacked a smart gun, and her most recent appointment to the newly created position at The New York Times.
She reveals her personal safety tips which she uses to protect herself and her data.
On traveling, Sandvik explains, “What I do for myself is that I have a travel laptop and I have a travel phone. So at any point in time, those devices are clean and set up for that trip specifically. [So] that if at any point in time those devices are lost, stolen, or seized I would only be exposing information that is relevant perhaps to that trip specifically and not everything I’ve done in my life.”
Lastly, Sandvik reiterated the importance of staying informed on how to judge apps and other services or even hardware before purchasing them. In the cryptocurrency world, this is called DYOR, or “Do Your Own Research,” and it looks like the reiterated advice is sound across all sectors.
“We are teaching the base level plus the specifics on top of that. I think a good example would be to talk about the mobile apps and which ones are the best ones to use for secure comms. [But] instead of us trying to stay up to date on the pros and cons of all the different apps that are out there because there is a new app every day, why not instead just teach, “here is how you evaluate an app?'”