Journalists Need Infosec Skills

They teach you a lot of different things at j-school. Information security skills don’t tend to be among them. They should be. For the most part, journalists only take hostile environment training before being sent to war zones or on other dangerous assignments. Not all journalists carry out that type of reporting, but try to find a journalist that doesn’t use the internet during the course of their work.

These days, you can’t.

Back in 2018, the Columbia Journalism Review found that only half of journalism schools in a survey of 32 offered any type of cybersecurity education. Only a quarter made it mandatory. Of the ones that actually offered any type of training, the majority only required about two hours of it. That’s a massive blind spot in journalism education.

With ever-increasing threats to digital security and privacy, everyone who uses the internet should have some basic knowledge about staying safe online. That’s kind of the premise of Cyber Security Awareness Month, which is observed every October.

But journalists are among those for whom cyber security awareness is especially important. Here’s why.

Journalists Are A Target

Even if they don’t set out to do so, the work of an investigative journalist will often ruffle feathers. From governments to corporations, there are plenty of entities out there that would rather not land in the spotlight of attention.

Just consider how many journalists end up the target of digital surveillance and espionage campaigns by authoritarian governments. Not all reporters are technically savvy, either. Even if they know how to navigate media law or understand complicated government processes, they may not know how to spot a simple phishing attempt.

Journalists are also, pretty much by definition, public figures. While there are exceptions out there, most media outlets wouldn’t dare trade credibility for anonymity. Because of that, those who work in the media can be easier targets for malicious actors.

And then there’s the current media environment. It’s not too much of a stretch to say that trust in the media is waning and open hostility toward journalists is increasing. Even if they aren’t the target of government surveillance, they may be the target for a troll or attacker who just doesn’t like what they’re saying.

Whatever their feelings about the media, few can argue with the fact that freedom of speech and a free press are essential tenets of democracy. The ability to publish factual information should never be threatened.

Sources Need To Be Protected

Information gathering is arguably the most important part of a good news story. That information is typically gathered from people. In the intelligence world, they call that HUMINT. In the media, we call it reporting. But there are plenty of times when a source is actually putting themselves in danger by revealing information to someone in the media. A good muckraker may be a target, but so are his or her sources.

There’s a good story that relates to this. Back in 2013, Edward Snowden was attempting to blow the whistle and get highly classified information to a reporter. He, at first, contacted someone at The Guardian. That reporter didn’t use email encryption and didn’t have the time to set it up. Snowden moved on.

The point has nothing to do with Snowden or PGP encryption. It has to do with a reporter’s responsibility to protect their sources and their ability to communicate with sources who require secure channels.

While reporters are protected in the U.S. from having to testify about their sources in court, there are other methods beyond legal ones to uncover whistleblowers and confidential informants. Because of that, surveillance self-defense and at least basic knowledge about encryption and secure messaging standards is absolutely essential.

OSINT Techniques Aid In Storytelling

The focus, thus far, has been on defense security techniques. But there’s a place for other information security skills in good reporting. Enter open-source intelligence, better known as OSINT in the information security world.

Reporters who sift through government documents or data journalists that collect and disseminate datasets are all essentially performing OSINT. But there are other OSINT tools and techniques that reporters can leverage.

Those skills, tools and techniques will only become increasingly important as more of the world becomes connected and more information gets published online.

The applications are endless, whether someone is reporting on government corruption or cyber crime. There are plenty of OSINT experts in the information security field who are extremely good at what they do. Good reporters should learn from them. This is not a call for journalists to do anything illegal when gathering information. But investigative reporters well-versed in OSINT skills can leverage those techniques to write and tell better stories.

Security Journalism Is Important

As we move forward in an increasingly connected world, it’s only going to become more important for the average citizen to know about the threats to their digital security and privacy. Most people in the information security world can probably attest to the fact that the average digital citizen should take cyber security awareness more seriously. And while security researchers have a role to play in this, informing the public is basically a reporter’s entire job description.

Journalists may also be better-suited and better-prepared to distill hard-to-understand knowledge into bite-sized and easily consumable chunks of information. (On the flip side, infosec professionals with a talent for writing should also help with the task of informing the public.)

More than that, there’s also the need for both sides of a story to be relayed to the public. Good journalism has always understood this. A good security writer with connections will be able to speak with both black and white hats and craft a compelling narrative for the average person.

The media and information security industries should work together toward making the current digital environment safer for everyone. The first step are journalists with an interest in information security and enough knowledge to understand and accurately relay that information to others.

What’s The Solution?

To be clear, this is not a call for journalists to become hackers. But the ability to think like a bad guy, to identify vulnerabilities in their own security, and to patch up avenues of attack are all invaluable skills for someone who may find themselves with a bulls-eye on their back.

Of course, not every reporter carries out investigative journalism or dangerous reporting assignments. But there’s a need to balance the need for training with the need to be proactive. There are plenty of reporters who can attest to how quickly a routine and simple story can become something a lot bigger. By the time you become a target, it’s pretty much too late to learn these skills.

And this is all especially true for freelance reporters who don’t have the resources of IT departments or established media outlets. In the gig economy, that type of reporter will only become more commonplace.

All of this is to say that, if you’re a reporter, you should take Cyber Security Awareness Month seriously. Learn some information security skills or brush up on security training. Journalism schools should also clearly incorporate information security courses into their curriculum.

And if you’re an information security professional, make friends with someone in the media who you respect. Give them a few pointers. In an era of increasing hostility toward journalists and the media, they’re going to need them.