The recent hacks of the Associated Press, CBS, and the Guardian’s Twitter accounts have raised questions about the vulnerability of newsrooms and the real world effects wrought by hackers. After continued attacks by the Syrian Electronic Army, Twitter recommended on April 29th that organizations should take precautions to prepare for further hacks. NPR was also hacked by the Syrian Electronic Army. This year, Bloomberg News, The New York Times, The Wall Street Journal and the Washington Post also have reported being hacked.
So what can news organizations do to tighten up security? And how do journalists cover cybersecurity?
Mike Tigas, a 2013 Knight-Mozilla OpenNews Fellow at ProPublica, is in the process of creating a "Cybersecurity and Online Privacy" course geared towards journalists. Tigas believes simple security measures work well for individual users.
At IRE 2013
Learn how to protect your newsroom and how to cover hacking with two sessions in San Antonio:
“The overall problem is that cybersecurity tactics are inconvenient, so they tend to be glossed over by the average person — but it's like an insurance policy in that it's there to save you from ‘the big one’,” he said. “For organizations, it gets a bit trickier since you often need to give keys to an "official" account to multiple people.”
After the Associated Press account hack, the agency released a false tweet that the White House had been attacked. That false tweet caused a temporary dip in the U.S. stock market. Sean Sposito, a reporter for American Banker who has written about risks of password insecurities for businesses, said that the hacks are inevitable.
"It's about monitoring, realizing when something has gone wrong, and shutting it down," Sposito said.
When AP was hacked, other AP accounts tweeted that the account had been hacked within minutes, and the hacked account was quickly taken offline. Despite the speed with which Twitter responded to the problem, the social media company has received criticism for not having a two-step authentication process.
Dan Nguyen, Head of Data at Skift News, says two-step authentication is a great first step, but says he believes many organizations are already using a third-party service like HootSuite or TweetDeck to publish Tweets. These systems can go around two-step verification. “Some suggested that Twitter should be able to retroactively attach a note to each tweet that would make a note [of compromised tweets],” he says. While he says he believes that could be effective, it wouldn’t replace better login procedures.
Sposito suggests high-profile businesses and organizations should try to establish a relationship with Twitter. Twitter is already preparing to reach out to journalists. Sposito also believes news organizations should use hacks as an opportunity to be transparent about security problems and the reporting process. He cites the New York Times’ management of the email hacking scandal as an example.
Attacks of news organizations will continue, Sposito said, because hackers want to get attention. For that reason, the attacks themselves could even be considered flattering, Tigas said.
“While embarrassing, I’m not sure it necessarily affects the organization’s brand in the long run,” he said. “In a way, it’s telling that the organization was big enough that an attacker would target them in the first place.”