It's second nature now for reporters rushing to a dangerous assignment to grab a helmet and vest. Physical security whether covering conflict or quakes is readily understood, if not always adequately implemented.
Securing the technology that journalists use is far less well understood by both reporters and the editors who assign them.
That's one of the reasons why the Committee to Protect Journalists this month brought together frontline journalists, editors, security experts, technologists, and tech company executives for a two-day conference in San Francisco under the banner of "Securing the Newsroom."
We wanted to put journalists who use communications technologies in the same room as those who build and protect those technologies: Journalists and media activists from Mexico, Syria, Pakistan, and Ethiopia shared their experiences of navigating digital and physical attacks and threats, which often overlap. We wanted not only to foster a dialogue--many are already talking--but also to come out with practical ideas and commitments to action. And this happened.
Several participants, who cannot be identified under the meetings' rules, promised to advocate for the adoption of a number of security procedures, including encrypting information in transit, HTTPS, within their respective news organizations.
Having senior news managers and IT staff on board is important because security cannot be compartmentalized. All too often journalists talk of physical and information security as if they were separate concepts. Then editors fret about the safety of field reporters in hostile environments without necessarily building a tech security culture within their base offices or protecting their communications and data storage.
We at CPJ emphasized how security must be viewed as a continuum running from body armor to DDOS attack shields.
We all agreed that tech security does not come naturally to most journalists and that it's no good telling them to encrypt their communications if it involves first acquiring a degree in computer science. When you buy a car you don't have to install anti-lock brakes, seat belts, and airbags before you drive it off the lot, one participant argued. Why should you expect journalists to install security features for tech equipment?
That was reassuring, because the technologists had spent the first part of the meeting scaring the hell out of journalists with tales of tracking, surveillance, spoofing, phishing, breached firewalls, and newsroom collapse. And don't think using PGP to encrypt communication will help you, they said, unless everyone uses--it otherwise you become the sore thumb stand-out.
As one of the attendees, exiled Ethiopian journalist Zerihun Tesfaye, wrote on Facebook: "These digital security experts first scare you so much that you won't be online tomorrow morning. . . Then they teach you how you would be able to move safe online, and inspire you to keep writing writing writing."
So the experts did have a few concrete steps, some of which are already mentioned in CPJ's updated tech security guide, to soothe journalistic nerves. For people in the field these included using laptops and mobile devices where the hard drive is encrypted as standard; and a few kind corporate souls handed out USB keys to help log on to email more securely.
The message that we all came away with was this - be an ambassador inside and outside your news organization for tech security and work with CPJ to spread the word.
CPJ's tech program coordinator, Geoffrey King, who helped organize the gathering, summed it up this way:
- Find out whether your organization utilizes the STARTTLS email encryption protocol, and if it does, ask your IT department what can be done to strengthen its implementation. A study by the Freedom of the Press Foundation found that half of the 65 major news organizations surveyed did not have STARTTLS turned on, or had it imperfectly configured. It easily encrypts all internal email traffic (and much external traffic) in transit. This helps protect news organizations and those with whom they communicate from hacking and surveillance.
- Switch to full HTTPS by the end of 2015. CPJ completed this process this year. Like STARTTLS, HTTPS provides your organization with powerful protection against even sophisticated state-sponsored attacks and surveillance, with minimum effort. And later this year, configuring HTTPS will become even easier.
The stakes have never been higher. Journalists around the world are being killed, kidnapped, and jailed in record numbers by repressive governments, militias, and criminal gangs. The technology that allows us to gather and publish news with unprecedented ease and speed also makes us vulnerable. Hostile environment courses teach reporters how to stay safe on a battlefield. They should now also teach them how to stay safe online.