Cyber security often makes the news thanks to data breaches, high-tech police busts of criminal networks and debates over end-to-end encryption. Journalists regularly report on cyber security, including investigating the causes of data breaches, tracking policy and political debates, and covering new developments in digital technologies and electronic surveillance.
Arguably, journalism is doing a lot for cyber security. In fact, recent research shows media reporting was a driver of board-level engagement with cyber security issues in organisations. But what is cyber security doing for journalism and more importantly, is cyber security failing journalism?
Cyber security intersects with journalism daily. Journalists use a wide range of devices to do their work and protect their sources including mobile phones, computers, cloud products and services, enterprise and standalone software, databases, encrypted messaging apps such as Signal, ProtonMail and SecureDrop, and other digital products. Journalists also face personal cyber security threats, such as attempts to install malware and spyware on their devices, phishing and ransomware attacks and scams. Newsrooms face broader challenges related to digital surveillance and data privacy because of state-sanctioned technical interventions, software vulnerabilities and growing reliance on external cloud platform infrastructure.
While many journalists have reported extensively on cyber security breaches and threats, researchers from Deakin University and the University of Dundee found journalists' own practices to protect themselves and their sources were lacking due to lack of knowledge, support and training. The researchers outline the relationship between cyber security and journalism in Australia and Scotland in the context of surveillance of Australian and Scottish journalists and their sources. The researchers asked journalists in both countries how they practise cyber security, and both reports make recommendations for improving those practices to protect journalists and their sources. It is evident that the cyber security of journalists requires further inquiry.
Journalists using digital products and services need excellent ‘cyber hygiene’ to avoid unlawful surveillance, security and law enforcement overreach and identification of their sources. According to the journalists interviewed by the researchers, their cyber security practices were often self-taught, learned on the job or gleaned from colleagues. This presents a potentially serious skills gap that exposes journalists and their sources to surveillance and interference. Media companies may roll out their generic internal cyber security awareness for employees, but do they need special programs and training for journalists to protect themselves from harms in the cyber realm and most importantly, are they able to lawfully protect their sources with good cyber security tools?
It is timely to revisit cyber security and journalism. A recent Independent National Security Legislation Monitor consultation on legislation that impacts the work of journalists has brought the cyber security practices of journalists into sharp focus. Watch this space.
Dr Susanne Lloyd-Jones, CMT Research Associate