Runa Sandvik, who has previously helped journalists secure their devices and data at The New York Times, Freedom of the Press Foundation and the Tor Project, recently discussed her work on the Decipher Podcast. This is a condensed and edited version of the conversation.
Lindsey O’Donnell-Welch: Tell us a little bit about how you got involved in working with the press, specifically. What first drew you to this industry in particular as it relates to cybersecurity?
Runa Sandvik: So back in 2009, I was just about to start the third year of my bachelor's in computer science and I was looking for a summer internship, and I learned about Google Summer of Code and about the Tor Project. So up until that point I hadn't really heard of Tor before, and I hadn't really considered internet censorship or privacy. Growing up in Norway I was definitely very privileged, and so I started reading about Tor and ended up working for the Tor Project that summer, and initially I just thought it was really, really cool that you can use technology to be anonymous online, that is technically possible. But at that point I didn't immediately consider just the benefit that that tool would have for so many people around the world. And so I ended up working for the Tor Project for about four years in total and it was in large part through the people that I got to meet, the people that I got to work with, the projects that I got to work on, that I really got to see just how much that tool can do for people around the world, what it enables them to do that they otherwise couldn't do. And it was around 2011, Tor got funding to train reporters, and I ended up leading that project, and figured out very quickly that like it's not super helpful to teach a reporter how to use Tor if they're not really familiar with security best practices, like unique passwords, two-factor authentication, software updates, secure communications on mobile. And so a lot of my focus then became building a curriculum around that, which is then work that I've since taken to Freedom of the Press Foundation, The New York Times and certainly to a lot of the consulting work that I'm doing now.
Lindsey O’Donnell-Welch: Having your roots in the Tor Project is really interesting too, just because it has broadened to reach lawyers and activists and political dissidents, journalists as well as students. That's kind of interesting, that development of the platform and how it's progressed over time.
Runa Sandvik: Yeah, It's been really interesting just to see how the tool itself has developed over the years, the community that has built up around it, and it's also been really interesting to see just the public narrative around the tool. So early on when people first got to know about Tor, it was sort of talked about as this tool that's created by the U.S. government and it's funded by the U.S. government, then it turned into this tool that allows bad people to do bad things and that was the narrative for quite some time. But now in the past couple of years I've seen less of those types of scary stories, and just more a solid narrative around just how impactful and helpful this tool can be.
Lindsey O’Donnell-Welch: Do you see that with privacy tools in general, that acceptance from the broader public in terms of how they can be used?
Runa Sandvik: I think so, I think there's definitely been a sort of shift around just how people view privacy and security tools. Like you've got that sort of similar debate around, there was a point in time when using encryption was a sort of like weird, odd suspicious thing to do, where if you encrypted something surely you had something to hide. And now encryption and also end-to-end encryption is just becoming this standard default, and people shouldn't really have to think about whether or not their communications are secure.
Lindsey O’Donnell-Welch: So when you were the senior director of information security at the New York Times, what did that role look like? Were you primarily interacting with reporters, were you working with management teams to look at these different security procedures?
Runa Sandvik: So when I first joined the Times in March 2016, I came in as the director of information security for the newsroom. So at that point, the company had an existing security team already and had a CISO, and had analysts and compliance people, pentesters. But no one was dedicated to security in the newsroom. And so what I spent a lot of time doing initially was like I was at that point, back in the day, when we had an office, I was physically sitting in the newsroom, I was interacting with the reporters everyday, I was trying to figure out what do they know about security, what kind of questions do they have already, what kind of questions do they have about internal policies. Do they know what we can do to support them, what is the baseline for security in the newsroom, what are measures that we can put in place moving forward, how does that fit in with the overall security program for the company and then to your questions about management, a lot of the sort of security needs of a newsroom are ultimately supported by IT and infrastructure and security. So then there were a lot of discussions with those teams as well, just to try and figure out what do we have, what can we roll out, what can we enforce, what can we acquire, how do we best enable the newsroom to do what it does but in a safe way?
"I think there's definitely been a shift over the years in how reporters think about cybersecurity, what kind of reporter considers security, and also how proactive security teams at media orgs are in interacting with the newsrooms."
Lindsey O’Donnell-Welch: That makes sense. When you first looked at the baseline, as you described, what did that look like for a lot of reporters in that newsroom?
Runa Sandvik: I think there's definitely been a shift over the years in how reporters think about cybersecurity, what kind of reporter considers security, and also how proactive security teams at media orgs are in interacting with the newsrooms. So historically it was sort of the case that, if you spoke to someone who worked on national security issues or who worked on cybersecurity issues, they would have some level of knowledge. They would be at least familiar with the language, the phrases like a password manager and two-factor authentication, and like the importance of updates and all of those bits and pieces. I think over the years, though, I think we’re starting to now see this shift where people, regardless of their role, whether they're writing about styles in The New York Times or whether they're a lawyer or content creator on Instagram, that people do know the importance of foundational security practices. So, I think that's sort of been the hardest part, because it's not like we don't have the tools - sure there was a point in time when we just didn't have the tools to do these things securely and then some of the tools existed but they were like hard and clunky to use or they were expensive - but now the tools are out there. People can easily use them and turn them on, so it just becomes a challenge of how do we make people aware and how do we communicate this in a language that actually makes sense to them. And I think that we've gotten far, far, far better at that over the years.
Lindsey O’Donnell-Welch: It’s interesting, your point about different types of reporters having different levels of awareness of cybersecurity measures and how they can implement them because right now working as a cybersecurity journalist is a lot different; like I used to be working in the local news, right after I got out of college. That was a very different environment for how cybersecurity was talked about, in that it wasn't talked about at all. So it’s just very different and also security is really impacting a lot of the everyday topics that reporters are writing about. So I do think reporters across the board need to become more aware of cybersecurity and then also how they can better secure themselves and secure their sources.
Runa Sandvik: I think you're exactly right, I mean I often say that digital security is a core part of the journalistic process. It's not like we're lacking the tools - we can easily provide tools, we can provide hardware, we can come up with a workflow that actually makes sense for a specific project or for a trip or for a team in a newsroom - The only piece missing is that line of communication then between the reporters and the teams supporting them.
Lindsey O’Donnell-Welch: You mentioned too this level of awareness, has that awareness broadened just because of the cyberattacks and the security incidents that are being reported over time? I know we saw the whole News Corp cyberattack that occurred recently, and that was part of a persistent cyberattack where I think Mandiant researchers said it was likely due to espionage. So are events like that, which are particularly focused on newsrooms or organizations that own news companies, are they increasing the awareness? Or is it just that cybersecurity in general is becoming a bigger topic across different industries?
Runa Sandvik: I think both but I do think more so the latter, that security, the importance of it, the things that anyone and everyone can do right now to be safer; the fact that we're talking about it more, just means that it is sort of becoming part of everyone's language. If I say password, few people will sort of question what that is; if I say two-factor, most people will know what that is or at the very least they will be familiar with this concept of a code that comes to your phone so that you can log in to check your email. I think that definitely it is great to see the companies are also a bit more open and transparent about the incidents that they had even in cases where they're not really sure exactly what's happened or what's been taken or what was exposed. But just going out and seeing like here is what we're seeing and here's what we're experiencing, just makes that a bit more common, which to your point just sort of helps with awareness.
"One big challenge that I see is that as a journalist the way that you communicate with the public is that you get emails from strangers and you get links and you get attachments and images and videos, and as a journalist your job is to click on those links and open those attachments."
Lindsey O’Donnell-Welch: Now, when you know when you're working with journalists, what are some of the unique challenges that are specific to newsrooms that they might face when it comes to security. One thing that personally came to my mind was kind of the shoe-string budget that a lot of newsrooms are dealing with and how security could be kind of tightened given those budgets but I don't know if there are other ones or if that was one.
Runa Sandvik: I think that's definitely a good point. There's a fairly small budget in a lot of newsrooms and in some cases there's no budget at all. I do know that there is tech companies out there that do provide either a discount or products for free to newsrooms and to reporters, which I think is fantastic. Beyond just the challenge of paying for either consulting or paying for equipment or tools or things like that, one big challenge that I see is that as a journalist the way that you communicate with the public is that you get emails from strangers and you get links and you get attachments and images and videos, and as a journalist your job is to click on those links and open those attachments. And while there are really cool, technical, nifty ways that I can set up for you that helps you do that in a super secure way, it's not always going to be very usable and so the sort of challenge there is figuring out what is it that we can set up for you that will make you as safe as possible, without necessarily compromising your ability to work in a way that you're comfortable with, and also work at the speed that journalism often requires.
Lindsey O’Donnell-Welch: That's such a good point. I mean looking at journalists too, it's such a public facing thing that you know your email is out there, your phone number is out there. A lot of specific details about you can be out there that can easily be leveraged for phishing or other types of email-based attacks. It all kind of points to the fact that media is becoming more digital or has already become more digital and there are a lot of threats there and challenges in terms of growing pains that media organizations face when they're looking at security.
Runa Sandvik: Exactly, like I said earlier, it's not that we're lacking the tools- we have the tools, we have the hardware - it's just a matter of figuring out what is the sort of right balance between security for usability for you, the speed that you need to still do the reporting work and also being able to like frame this in a way that sort of makes sense both for leadership and the people who hold the checkbook, and also you as the sort of person who now has to use these tools on a daily basis.
Lindsey O’Donnell-Welch: Is there the right balance in terms of framing that that you have found works for the upper level management?
Runa Sandvik: I think the trick there is to make it relevant to the audience, and I think if you read about, say, News Corp being hacked by, was it China I think, and there's a possibility that they were like in their systems for two years; if you’re at a small company, not newsroom, you take that article to leadership and say "look cyberattacks do happen, I need an increase in budget," I'm not sure that's going to fly if leadership aren't already sold on the importance of security and understand that something like that could also happen to that company. Because it becomes so far removed and so hard to relate to. And so I think that the more specific you can get, the more specific you can frame it for the person that you're talking to or the team that you're working with the easier it's going to be for them to really understand why it's important and how it's impacting the company.
Lindsey O’Donnell-Welch: I'm sure that also applies to other industries beyond newsrooms as well.
Runa Sandvik: Yeah, I mean it's sort of the same when you're doing any sort of security education. If I talk to a group of reporters that are writing obituaries, and I talk about NSA-level surveillance and the need to encrypt everything and Russian hackers and gag orders; Sure, they've probably heard of these things. But that's not necessarily going to resonate with the type of work that they're doing. So if my goal is to help them create better passwords and use two-factor authentication, those examples may just not land with that audience at all, and so regardless of exactly who you are talking to, or for what purpose, you really need to relate to who they are and what they need and speak in a way that actually makes sense.
Lindsey O’Donnell-Welch: What would your message be for newsrooms in terms of the best practices that they can adopt, just in terms of first steps that they can take, because sometimes it is overwhelming I'm sure.
Runa Sandvik: The very, very first step I would suggest is to create a working group internally with the people who are in the newsroom and are knowledgeable about security and care about that topic. And if you also have like an internal IT team or infrastructure team or security team, loop in someone from that team as well. Maybe someone from legal who's familiar with the challenges in the newsroom if you have someone who works on physical security stuff, include them as well to really build up a team of people from across the organization that care about this topic, and that can sort of help drive the development of a secure plan and figure out these workflows and figure out [questions like] what do we have and what is the budget and what could we possibly do and like what is our baseline and how do we improve from there?
Lindsey O’Donnell-Welch: I like that you are taking the approach where you're looking at the culture of the workplace as opposed to just saying, “you need to enable two-factor authentication or mandate stronger passwords;" which obviously are needed but it is something that needs to be more of an approach where it comes from the actual workplace and accounts for the specific challenges in the workplace and the people within the workplace.
Runa Sandvik: Exactly, I think if you are going to see improvement at scale, you do really have to make that part of the culture and making it a part of the culture sort of requires you to make that part of just day-to-day discussions. Like when you're starting up a new investigative project, also talk about “do we need new laptops, do we need new phones, are we going to travel, which secure messaging app are we going to use for this project, are we okay using Google drive for this or should we consider something else?” I think the more you can incorporate these challenges and tools and security practices into that day-to-day discussion, I think the easier it's going to be.