The invisible threat

Whilst most media outlets focus on economic or societal challenges to their viability, digital security is often seen as a lesser priority. The core reason is that digital threats are non-visible, often not tangible and therefore theoretical. However, there’s a relatively simple way out: threat modelling.

The Internet was a great discovery for the media: offering them opportunities to develop new strategies for production, publication and distribution of their content. By definition, the Internet is a technology of freedom: potentially accessible to everyone due to open protocols, decentralized infrastructures with an inbuilt potential to circumvent state-driven monopolies of power, open for new software developments by everyone for everyone and for every purpose. These convictions about the Internet were at least true for the first years of the World Wide Web, and strengthened the myth of the online world as a new world of freedom and democracy.

And today? It seems that this myth has morphed into a dystopian reality for the media: “the Internet” is now seen as responsible for a fundamental economic crisis among legacy media; the undermining of basic news integrity by systematic spreading of fake news; and the weaponization of hate that shuts down open discussion in favor of partisanship for political actors, or just random trolling.

How could this happen? The simplest answer is: We are seeing these dramatic levels of misuse by large groups in a society, not despite the Internet being open and free, but because of that very fact. Alongside the clearly positive effects for society, there are countless examples where those seeking control have misused said freedom.

Non-visible digital threats are the problem

So it looks rather as if creating a digital news ecosystem with sustainable revenue streams should be a first priority for the majority of media organizations fighting to stay viable. And this is what they mostly focus on, as well as their ability to handle challenges like “hate speech” or “misinformation”. This is a reasonable belief, but another negative side-effect of digitalization is still too often overlooked: digital security breaches. Organizations must recognize the need for strong IT security within their infrastructure, as well as digital safety routines for journalists and media activists in their work. If this is neglected, all other efforts will be in vain.

Being open and operating in an open infrastructure also means being vulnerable, for example to account hacking, the physical search of unprotected smartphones or surveillance of communication by states. While these threats are well known in the media sector, efforts to counter them are still relatively weak, both in terms of raising awareness as well as in terms of investing in secure IT infrastructure. This discrepancy between known threats and the almost fatalistic acceptance of them seems paradox. However, it’s actually quite easy to explain.

It’s not new to media actors that they have to counter certain threats. By definition, good journalism questions and criticizes those who (want to) have power. It’s the basis for journalism’s right to exist in a society, its raison d’être: the promise to its audience to serve the public, conducting research in the public domain, even if this means fighting to overcome substantial barriers of power, knowledge or money.

However, traditionally most threats were obvious and public: Reporting on a demonstration and being harassed by people sensitizes journalists to the need for physical protection; government-enforced regulation that encroaches on press freedoms has to be publicly communicated by law, and this can be fought in court; PR agencies producing “news” for commercial interests, seeking to influence or even manipulate public opinion, can be subjected to independent scrutiny in an article. Seeing threats doesn’t mean, of course, that countermeasures are successful by default. But humans tend to protect themselves and their assets especially if a danger is concrete and known.

Here’s the problem: Most digital threats are non-visible, and to many also not tangible enough to develop countermeasures. It might happen that the social media account of a newsroom has been successfully hacked, and yet the newsroom never becomes aware of it. Another example: Journalists fail to recognize that their phone calls are being intercepted by a third party, such as the police. Digital risks are mostly theoretical, potential threats, and the person or organization being surveilled may never find out whether the perpetrator was successful or not. Or worse: Even if the surveillance or hacking is discovered, it’s typically too late. Knowing that an account was hacked might prompt the victim to install better security settings in the future, but the data is in fact already lost. Establishing that a computer is infected with ransomware and the malicious software is encrypting all data stored on it doesn’t halt the attack—it’s too late.

Countering threats is essential for media to stay viable

As we enter a data-driven society, risks to the integrity of data or even loss of access to it could be mission-critical for both the editorial and the financial success of media outlets, and therefore for their viability. If dozens or hundreds of employees lose access to their data because a company’s system is infected with a ransomware-trojan, within seconds the company is unable to continue its work.

Moreover, a solid security system is essential to the public role of journalism: The media cannot be an effective watchdog and check the actions of government if this government has access to its communications. Countering these threats is essential for media to stay viable.

To do this, it’s important to overcome the “dilemma of prevention” innate in digital security. Media outlets have to invest in their digital security efforts—money and/or human resources—in order to stay digitally safe, even if they do not “see” the threats. However, the dilemma is that even those organizations who invest in their security will never be sure whether their efforts have paid off, because the threats are invisible anyway.

So, outlet A investing in digital security seldom has a clear advantage over outlet B that has invested nothing. The wisdom of the investment could only be demonstrated by outlet A successfully warding off an attack that outlet B could not. However, it’s also possible that both A and B sustain a breach without being aware of it, for example due to unknown surveillance methods for which as yet no defense exists. In this case, the investment may even become unjustifiable, because it was not enough to counter the threat.

Doing nothing in relation to digital security is not really an option, either. It would mean becoming more and more vulnerable over time, and therefore a more likely target. Cyber criminals, for example, like to choose the worst-protected victim available, as it means they don’t have to invest much in their skills and still have a great chance of success. Aside from this, it would send a negative message to potential sources if the media outlet were obviously not properly equipped to keep its data safe.

To overcome the dilemma of prevention, there’s actually only one option: Accepting that data protection is mission-critical for any media outlet, the only option is to constantly assess their digital situation via a so-called threat model. This is a structured process defining a media outlet’s protectable data, identifying potential attackers and their capabilities, and lastly making a list prioritizing threats that are considered most likely to happen, while others remain abstract and theoretical. Such a threat model is an indispensable component for a holistic security concept, reflecting digital and physical risks as well as legal considerations, so that it clearly shows where it’s best to invest resources.

This is not a foolproof solution for the dilemma of prevention, but it’s still the most rational way to invest in digital security. From IT consultancy we know that absolute security is not possible; moreover, state-driven attacks in particular are probably hard to counter at all, if state actors are really determined to access someone’s data. Their financial, personnel, technical and legal resources are enormous. Relatively unsophisticated attacks by cyber criminals or online trolls, however, are easy to detect in advance and also fairly easy and cheap to stop before they happen. It’s an investment in the safety and security of journalism, and therefore another factor of increasing importance for each media outlet’s viability

Daniel Moßbrucker is a freelance journalist and trainer for digital security. He studied journalism at the TU Dortmund and digital journalism at the Hamburg Media School. As a journalist he regularly publishes about the topics surveillance, data protection and internet regulation. Moßbrucker is a trained trainer and trains journalists at home and abroad in digital security and Darknet research. He advises editorial departments and NGOs strategically on the development of their IT security. In this context, he also worked for Reporters Without Borders and DW Akademie, before starting a dissertation project in which he has been investigating the effects of surveillance on journalism.