New digital newsrooms that rely almost entirely on the internet to work need to bulletproof not only their stories, but also their entire information system, including how information is stored, processed or exchanged via electronic means.
Technological attacks against websites, editorial servers and investigative journalists' personal accounts are on the rise. Governments, corrupt companies and criminal groups are trying to exploit any vulnerability of media organizations to obstruct independent investigations and, if possible, to destroy sensitive information. In some cases, a cyberattack is the first step in a chain of aggressions that might end with a serious or deadly physical attack. We have seen several such cases in Mexico, one of the most dangerous countries for independent journalists.
Since digital newsrooms are more and more involved in data mining and digital investigative reporting, they are attracting the attention of tech-savvy adversaries who can block investigations, delay publications or even destroy information before it is published.
Connectas Hub is one example of this trend. This investigative reporting platform in Latin America was coordinating the publication of several stories on abuse and corruption in the Mexican government when the website experienced a major distributed denial-of-service (DDoS) attack that took the site down for days. Previously, Connectas detected attempts to infect their computers with a malicious virus after running a series about corruption in Nicaragua's customs agency and the construction of the Nicaragua Canal, a project backed by Chinese companies.
After these attacks, Connectas worked with me to set up Deflect, a free service that helps independent media and other organizations protect their websites from DDoS attacks.
At that time, Connectas was one of the 100 newsrooms in 80 countries across the world that helped report on the Panama Papers, a leak of millions of files revealing the hidden finances of global elites.
There was no digital forensic investigation and Connectas was not able to confirm who was behind the attack. Still, the case highlights the need for newsrooms to improve their ability to face down large-scale cyberattacks.
Here are 12 tips that newsrooms can immediately apply to protect their digital systems.
1. Design an information security strategy. This means a newsroom should understand their adversaries, vulnerabilities, capacities and their own level of risk. You can use the Digital and Mobile Security for Journalists and Bloggers Manual I wrote as a Knight Fellow (Spanish and Arabic, English version is coming) to help design your newsroom digital security strategy. You can also use this comprehensive list of tips to bulletproof a digital newsroom.
2. Get extra protection from DDoS attacks. I recommend applying for Deflect, which is managed by a Canadian organization led by Dmitri Vasiliev, a pioneer in digital security for human rights defenders. Newsrooms can also apply for a protection service offered by Google through the Project Shield initiative, which uses Google’s security infrastructure to protect news websites.
3. Hire someone who will attack your newsroom's digital security system to look for vulnerabilities. This is known as a “pentester” in tech jargon. While there are a few pentesters who may work pro bono, you can also apply for help from the Information Safety and Capacity Project (ISC Project), a nonprofit based in Washington, D.C. Additionally, some private companies provide this service at a very low rate — try Pakal Security Labs in Guatemala.
4. Look into your website hosting company. They may already offer services that can help you monitor your newsroom and block any attacks.
5. Ensure your digital newsroom follows secure coding principles. Try using the Open Web Application Security Project’s (OWASP) list of web security risks as a guide.
6. Make sure that your IT department keeps the server software updated and patched. This will help protect all networked computers from virus infections.
7. If you are involved in a crowdsourcing project or use whistleblowers, make sure that your website has a SSL certificate to encrypt traffic. Media organizations can purchase SSL certificates at a very low cost from most hosting service providers.
8. Use the Salama app to evaluate risk for members of your newsroom. The app, which I created during my ICFJ Knight Fellowship, provides journalists with a guide to understand risks they are facing and customized advice for reducing them.
9. Make sure your organization meets basic information management security standards. One point of reference is the standards laid out by the Swiss-based International Organization for Standardization (ISO).
10. Make sure that reporters and editors use encryption systems and digital security tools while working on sensitive stories. You can use the Salama Library to access tips on how to bulletproof the editorial process.
11. You can also take a look at the digital security toolkit for investigative reporters I am curating with support from the ISC Project. This resource includes tools created and curated by the Guardian Project, the Electronic Frontier Foundation, Tactical Tech and other players.
12. Train both editorial and non-editorial employees to recognize social engineering and phishing attacks.
Main image CC-licensed by Flickr via Karol Franks.
Editor’s note: This post is based on ICFJ Knight Fellow Jorge Luis Sierra’s digital security presentation at the 2016 Investigative Reporters and Editors Conference on June 16-19. The post was also published on IJNet, which is produced by ICFJ.