Gender Lens: Cyber Security Workshop with Runa Sandvik

In 2016, veteran journalist David Satter published a book titled, "The Less You Know, The Better You Sleep: Russia's Road to Terror and Dictatorship under Yeltsin and Putin," about Boris Yeltsin's tenure as President of Russia and his choice of successor in Vladimir Putin. Satter is known for his pointed critiques of Russia and was expelled from the country in 2013.

In the book, Satter suggests that the government was behind the bombings of four apartment buildings in 1999 that were used to justify a military invasion of Chechnya by the Russian government. At the time, the bombings were alleged to be the terrorist efforts of Chechen separatists.

Last month, Satter's work began to circulate online. Among the cache were private emails and selectively modified reports and writing published to a third-party website. The documents included reference to a forthcoming investigation. Falsified reports moved to discredit reports of corruption among associates of President Putin and suggested that opposition and anti-corruption activists had received foreign funding. Once published, Russian state media reported the leak. 

Satter's experience is one type of what's deemed a "weaponized leak," in this instance, an effort to discredit critics of the Russian government.

His work was tampered to achieve specific propaganda aims, where 95% of the material was real and 5% was just false enough to pass for true in a body of truth, co-opted for purposeful disinformation and to discredit the United States.

On June 4, 2017, Runa Sandvik, director of information security for the newsroom at The New York Times, talked participants at the Pulitzer Center's Gender Lens Conference through the exploit that intercepted Satter's email: a phishing attempt that suceeded much as when during the 2016 U.S. election Hillary for America advisor John Podesta's email was similarly targeted. "It happens all over the place, it's so common that it's not news," Sandvik said about the methods of the breach.

"The media likes to focus on the 'why'," but the purpose of the hack can be hard to determine. According to Sandvik, motive usually comes down to profit, propaganda, or fun.

When it comes to "'how', 'why' and 'by whom'," said Sandvik, "the 'how' is the easy part."

A report published in May by the University of Toronto's Citizen Lab looks at the details of the breach, and links it to several others, notably attacks targeting a former Prime Minister, government dissidents and critics, and targets working in the extractives industry in areas and places thought to be of economic and strategic importance to Russia.

Throughout the workshop, Sandvik emphasized using safe passwords as a means to safeguard important data. A secure password is at minimum 20 characters long, and should never be repeated.

This seems an extraordinary task to master. Fortunately, there exist password managers, encrypted tools that allow a user to access an library of long multi-character passwords stored securely and easily accessed. User's need only recall a 'master password'—something Sandvik advised that we keep a record of offline.

Similar precautions were advised for keeping private documents from prying eyes. Some use "air-gaps" to physically isolate files from a network, which in practice might involve saving encrypted data to a hard-drive or computer that has never been connected to a network not cryptographically secure.

And while journalists in the U.S. might infer some protection by the courts, the same is rarely true for sources, or for journalist colleagues overseas. We should seek true end-to-end encryption that cannot be circumvented when communicating: services that encrypt messages between users so that even the provider cannot unscramble them. One tool, known as OTR for Off The Record, continuously encrypts the conversation in real-time, making it impossible to retrieve previous text.

The practice of securing a large public facing institution like The New York Times is similar to steps that individuals can take to shore their own security. To protect sources and data, Sandvik recommends use of end-to-end email encryption, and cited Mailvelope, or tools like Signal, which encrypt each individual message with a new key. Her team established protocol that allows journalists to borrow a new laptop for travel overseas, and last year, established a tips platform at nytimes.com/tips with a range of secured options.

Since a security breach might seek to move laterally through the network, preventative measures that keep individuals secure can quell an interloper's tracks.

Still, many of us share extraordinary amounts of details about ourselves online.

Consider, too, unpublished blog posts that express views that you no longer hold, and how their distribution could impact you down the the line.

"An attacker might find a way to use stuff you have written in the past about you now," said Sandvik. "Not because you are writing about something interesting right now, but because you have written about interesting stuff in the past."

Benign seeming details of our lives are frequently less private that we might imagine, and can be weaponized to discredit our work today, or used as points of leverage in difficult negotiations.

Sandvik cited documents published by Wikileaks that detail CIA exploits designed to obsfucate the origin of an attack and implicate a false source elsewhere.

Determining 'by whom' the attack was propagated is rarely possible to do with any certainty. "You will never be 100% sure that it is Russia, or it is China," she said. "Attribution is fascinating but also incredibly difficult."

And for journalists, our data-rich phones and computers present an ever-present risk to sources.

Like Satter's book title, "The Less You Know The Better You Sleep," Sandvik's verdict on surveillance during the workshop leveled that what's most effective in this area is also invisible—and still more reason to take preventative measures to keep privacy secure.