Runa Sandvik: What We Can Learn From The Cybersecurity Expert Protecting Journalists.
The world is becoming increasingly hostile to journalists.
Journalists are central to free speech and to holding powers accountable. To silence them, certain governments are adopting sophisticated spyware, putting journalists on the fireline of surveillance, doxing, targeted attacks, and physical attacks. Cybersecurity expert, Runa Sandvik, shares the challenges journalists face and how they – along with us – can take small steps to protect themselves from surveillance.
It takes a village to keep journalists safe.
The human resources team focuses on the journalists’ emotional state, the legal team on their legal challenges, the security team on their physical safety, and the cybersecurity team on their online safety.
Few know of the online threats that journalists face like Runa Sandvik. As one of the world’s top information security experts, she’s spent her career protecting journalists and newsrooms from cyberattacks. She has an impressive career path too. She’s:
Protected The New York Times newsroom from hackers and nation-state attackers as Senior Director of Information Security.
Helped reporters obscure their online activity at the Tor Project.
Built tools that allow journalists to securely communicate with sources/tips and receive sensitive documents.
Served as a consultant to large news organizations like Reuters and the Associated Press.
Served the Norwegian Cyber Defence Force as the Senior Advisor.
Served the Freedom of the Press Foundation’s as a Technical Advisor.
And she’s a member of the Technical Advisory Council for the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
More recently, she founded Granitt, a venture focusing on digital security for journalists and other at-risk people like activists, lawyers, politicians, refugees, and human rights defenders worldwide – for good reason.
Witnessing the Biggest Security Threat in the History of Digital Surveillance.
While working at The New York Times, Runa witnessed one of the biggest security threats to journalists in digital surveillance history.
An Israeli startup called the NSO Group released a spyware called Pegasus. Pegasus could infect a person’s phone without them clicking on a link (called a “zero-click attack”). The attacker could instantly access the victim’s text messages, emails, photos, geolocation, camera, microphone, and more. Its ability to surveil a person was unprecedented.
Government agencies in at least 45 countries allegedly bought and deployed Pegasus to surveil “terrorists.” However, a leaked list of more than 50,000 phone numbers selected for surveillance by clients of NSO Group told a different story.
Journalists, activists, opposition politicians, human rights defenders, and more were monitored and tracked by governments – particularly in authoritarian regimes whose leaders wanted to hide the truth. Pursuing sensitive material from journalists and silencing or punishing them was a method for these authoritarian regimes to cement their power.
“These government clients range from autocratic (Bahrain, Morocco and Saudi Arabia) to democratic (India and Mexico) and span the entire world, from Hungary and Azerbaijan in Europe to Togo and Rwanda in Africa. As the Pegasus Project will show, many of them have not been afraid to select journalists, human rights defenders, political opponents, businesspeople, and even heads of state as targets of this invasive technology. – Forbidden Stories “
It became clear that the world was becoming increasingly hostile to journalists, so Runa stepped in to fill this gap.
“My goal is to help you (journalists) work safely and help you do whatever it is that you’re trying to do in a safe way. That means we have to talk about and take into account any sort of threat that you’re aware of. We need to come up with a plan for you. It becomes very [contextually] driven. And it’s about coming up with the right mitigations for you and the work that you’re trying to do at that point in time. Whether the concern is NSO-style spyware, phishing, or traveling and you’re worried about losing your laptop, we can talk about the risks, the challenges, what you can do and come up with something that actually works for you.” – Runa Sandvik (source)
Aside from her cybersecurity expertise, Runa is the perfect ally for journalists because she’s been targeted herself.
Too Close to Home: Runa’s Personal Experience Being Targeted.
In 2015, she was the victim of a targeted data breach on Twitter.
One day, she got an email with the subject line: “Important Safety Information." It went on: "We are alerting you that your Twitter account is one of a small group of accounts that may have been targeted by state-sponsored actors.”
Later on, she’d learn that the attacker was an engineer working for Twitter who doubled as an agent for the Saudi government and monitored the accounts of dissidents. Fortunately, the employee was charged with espionage.
My jaw dropped thinking of a spy working at a social media giant like Twitter – and about a million questions ran through my mind.
Could I also be monitored for the stories I write and the tweets I publish? Does digital surveillance go hand-in-hand with physical surveillance? To what extent could my personal freedoms be at risk? And to what extent is democracy at risk when surveillance occurs within the social media apps we rely on? What safeguards are put in place to prevent the abuse of cyber weapons? What are the consequences and what’s at stake here?
“I don’t know what they accessed or for how long they were there… Maybe they just checked which IP address I was using at that point in time. Or maybe they downloaded all of my direct messages. I don’t know. Because Twitter has not told me.” – Runa Sandvik (source)
The depth of her experience – both professionally and personally – gives her an advantage in helping journalists.
“She appreciates the vagaries of journalism and what it looks like to work through censorship resistance from inside a news organization.” – Susan McGregor, a researcher at Columbia University’s Data Science Institute (source)
With Runa’s personal story and expertise in cybersecurity, I wanted to ask her a few questions. I wanted to know more about the threats that journalists and newsrooms face in the digital space, the small steps you and I can take to keep ourselves safer, the role cybersecurity plays in protecting our democracy, her thoughts on whether most of us are blind to the surveillance around us and more.
I hope this Q&A interview gives you little nuggets of insights and helps you stay safer online.
Q&A with Runa Sandvik.
We were both recently at the Oslo Freedom Forum. Can you tell me about the role that cybersecurity plays in protecting our human rights and defending democracy?
Runa: “I have focused on safety for journalists and at-risk people for over a decade. When I think about protecting human rights and defending democracy, I think of ensuring people can do what they need to do—safely; across digital, physical, emotional, and legal domains.”
There were also a number of stories depicting how the integrity of journalism is at risk due to surveillance and government pressure. In what ways are you seeing governments surveilling, silencing, attacking, or punishing journalists and activists?
Runa: “Journalists today face many different threats, from physical and digital to emotional and legal. The digital threats include phishing to gain access to an online account (such as email); malware to gain access to a computer (such as a malicious PDF); and sophisticated spyware to gain access to a phone (such as Pegasus).”
What about newsrooms and other news organizations; are they under the same kinds of pressure as journalists? Do you see any cyber attacks or government pressure being applied there?
Runa: “Organizations face challenges too, but this may be more in the form of digital and legal attacks focused on the entity—not a single individual. Recent examples from the U.S. include media organizations being hit with ransomware.”
What types of tools are important to protect journalists' and activists’ confidential documents, tips, and sources?
Runa: “For digital security, I strongly recommend: a password manager, two-factor authentication, and use of Signal and WhatsApp for encrypted communication. In addition, I recommend using Lockdown Mode on iOS for added protection against sophisticated spyware.”
Are there small steps you recommend journalists and activists take in order to protect their identity and safety?
Runa: “I recommend regularly reviewing privacy settings on email and social media to ensure you know who can see what. And also security settings so you ensure you use the features available to you. If you’re in the U.S., you can also use DeleteMe to help remove your data from data brokers.”
What messaging app do you use for your personal chats? And why?
Runa: “I strongly recommend Signal and WhatsApp for encrypted communication. Messenger has a feature called Secret Conversations, but it’s not on by default (I wish it was and I wish more people knew about this!).”
You once organized “a crypto” party in Hawaii (involving Edward Snowden). Is your interest in crypto linked to your interest in security and freedom of speech? Or is that a different interest of yours?
Runa: “Crypto” means cryptography, which is a core part of security and privacy.”
What are your thoughts on journalists and activists adopting bitcoin as money to prevent surveillance, tracking, and censorship?
Runa: “I know OsloFF had a few sessions about blockchain technology and I think they were well-attended!”
Many people in the West don’t object to surveillance of their private lives because they have nothing to hide. What are your thoughts on that? And do you think people should care more?
Runa: “I always say that it’s not about something to hide, but about having something to protect. I think that it’s not that people don’t care, it may be that they don’t know what’s going on; or get the impact that surveillance has. This is an area in which continued education is helpful, along with continued push for secure by default and encrypted communications by default.”
Tell us about the work you’re doing at Granitt, a startup you founded that aims to help at-risk people (like journalists, activists, politicians, lawyers, refugees, and human rights defenders) from threats they face doing their work?
Runa: “My work builds upon my experience from The Tor Project, Freedom of the Press Foundation, and The New York Times. I started Granitt a year ago to continue with this work, now offering security assessments, guidance, and training to journalists and at-risk people around the world. You can reach me via email at runa@granitt.io or on Twitter at @runasand.”
RELATED RESOURCES:
Read:
About the Pegasus Project (Forbidden Stories)
Pegasus: The New Global Weapon for Silencing Journalists (Forbidden Stories)
Watch:
Global Spyware Scandal: Exposing Pegasus Part 1 (Frontline)
Global Spyware Scandal: Exposing Pegasus Part 2 (Frontline)