You’re a reporter who’s deeply invested in covering your local community, right? Maybe you’re an education reporter or cover health in your area. Maybe you cover a politics beat, with a focus on corruption, or an economics correspondent tracking the flow of money in and out of your region. And you love hitting the pavement (or the local board meeting) to get the scoop.
But when the coronavirus hit America in March 2020, it was like you had to re-learn how to gather news. And you weren’t the only one. Overnight, your town government or local chamber of commerce had to adapt to providing services online. The students in the schools you cover suddenly became wholly dependent on Internet-connected devices to learn. Community hospitals had to switch to online billing and record-keeping, providing tele-health, and the ability for non-frontline workers to work from home.
The necessary shift to operating exclusively online opened up huge vulnerabilities. At least 400 K-12 schools fell victim to cyberattacks in 2020. Meanwhile, 600 hospitals and medical clinics were targeted last year, compromising 12.3 million patient records. At least 4 state or local governments were affected by the SolarWinds attacks. Thousands of businesses, from main street to big-time employers, lost billions in revenue cleaning up after cyberattacks.
Then, one day, an adversary compromises the “Big Organization” in your town. You’re not a tech reporter. Where do you even begin your reporting? There’s no scene of the crime. The perpetrator could be in another country. Who do you ask? What does the public need to know?
To help answer some of these questions, the Global Cyber Alliance’s Newmark Journalist Scholar, Julian Hayda, recently talked with Katie Nickels, Director of Intelligence at Red Canary, at the 2021 Online News Association (ONA) Conference.
The typical “five Ws” that journalists use to determine the facts of a breaking news story—who, what, when, where, and why—are inherently more difficult to assess in the case of a cyber incident. If you’re a crime reporter, your tendency is to immediately visit the scene of a crime to report on it. You can’t do that in cyberspace in the same way as you would with, say, a murder. The timing might also be a mystery, since malware could have existed in a computer system long before any effects of it were felt.
Some of the “five Ws” can nonetheless provide a springboard for some hard reporting, even if the answers may be a bit muddy at first. According to Nickels, questions like “What data was stolen? Was there any money lost? Was there any critical system downtime?” are important to ask in serving the public. Motivations shouldn’t be treated as mutually exclusive either—an adversary might be stealing data for personal gain, on behalf of a powerful interest, or in the name of activism all at the same time.
“Don’t get intimidated by every single technical detail. Think about the overall big picture of what happened so the average person understands,” said Nickels. Here are some common mistakes that she’s found journalists make when reporting on cybersecurity:
Forgetting to use estimative language or hedging words like “likely”, “suspected,” or “alleged.”
Focusing only on attribution. Sometimes the perpetrators of a cyberattack aren’t the most important part of the story.
Attributing to a country can be challenging and nuanced, given that independent hacking groups don’t have static relationships with the states where they’re based or work.
Sometimes terms and concepts get conflated as well, warns Hayda, such as when social media influence campaigns are likened to “hacks,” even though no technical hardware was ever compromised. Sometimes sources have personal interests in overstating or understating the veracity of a claim, such as when painting a political adversary in a bad light. That’s why it’s important to ask lots of questions to get utmost clarity. Sometimes running metaphors past sources is a good tactic to get clarity from sources.
Even though a lot of cybersecurity or law enforcement sources may use technical jargon, it doesn’t necessarily serve the audience. Nonetheless, it’s important for reporters to have a basic working knowledge of some terms:
Sometimes ‘hackers’ is used synonymously with ‘criminals.’ Nickels says that not all hackers are bad. It’s important to recognize that it’s just describing a process. In the case of a local attack, consider using words like ‘adversary,’ ‘actors,’ or ‘operators’ instead.
‘Malware’ is a portmanteau of ‘malicious’ and ‘software,’ and can be used to refer to any harmful code or program that ends up on a device or network. ‘Ransomware’ is a type of malware that encrypts files and requires victims to pay a ransom to decrypt. These types of attacks may also steal sensitive files and require victims to pay a ransom so they won’t be released.
‘Phishing’ is the use of a social trick to get a victim to do something like install malware. This usually refers to a phishing email but can also refer to scam calls, text messages, or even snail mail.
Words like ‘attack’ often imply destruction or tampering, but it can be an imprecise term. For example, a phishing email might be considered an ‘attack’ even if the receiver never opens it, and malware is never installed. In the case of a newsworthy cyber event, consider using ‘compromise’ or ‘intrusion’ instead.
A ‘Denial of Service (DoS)’ event is when online operators overwhelm a system’s resources to cause them to be unavailable. This is different from malware, which is often used to obtain access to a system. Instead, this is about preventing anyone from accessing that system.
Most intrusions follow common patterns, though the specifics might vary depending on the operator behind it.
Initial Access: The adversary gets access into a local network. For example, this can be when a student clicks a link on a phishing email while on a school computer, or when a police officer downloads software from a malicious website.
Persistence: The adversary is trying to maintain their foothold within the network without getting ejected.
Lateral Movement: The adversary is trying to move through the network’s environment. For example, initial access through a local parks department might lead to data in the municipal criminal or tax databases where more sensitive data is stored.
Command and Control: The adversary is trying to communicate with compromised systems to control them.
Exfiltration: The adversary is trying to steal data.
Fortunately, finding sources for breaking cybersecurity stories shouldn’t be too hard. Nickels says it’s important to talk to the people affected first. Sometimes the parties involved won’t comment since it may open them up to liability, but it never hurts to ask. There are also plenty of local subject matter experts. Most states or cities have Information Systems Security Association (ISSA) representatives, or host area conferences known as ‘BSides’ where local experts convene and discuss cybersecurity in their communities. Nickels recommends visiting Twitter and contacting the local ISSA representatives or BSides speakers that way. Just be mindful of the sources’ motivations, like if they turn an informational interview into a sales pitch or have ideological motivations to overstate or under-state the roles of hacktivists and foreign adversaries.
A cybersecurity event can happen anywhere, as 2020 has demonstrated. Be prepared for the story breaks in your community by following these tips and reaching out to either Katie Nickels (@likethecoins) or the Global Cyber Alliance (@GlobalCyberAlln) on Twitter. When investigating cybercrime, journalists may also end up drawing the ire of attackers. They should protect themselves against intrusion or intimidation using the GCA Toolkit for Journalists, which was released at ONA 2020.