A multidimensional approach to journalism safety


The security community is constantly evolving, growing and learning from each other to better position the world against cyber threats. In the latest post in our Community Voices blog series, Senior Marketing Manager for Microsoft Security Products Brooke Lynn Weenig speak with Runa Sandvik, former senior director of information security at The New York Times and a member of CISA’s technical advisory board. She was recently interviewed about her new startup, Granitt, in TechCrunch.1 The thoughts below reflect the opinions of Runa, not those of Microsoft, and do not constitute legal advice. In this blog post, Runa talks about the safety of journalists and the media.

Brooke: How did you get into cybersecurity?

runa: I got my first computer when I was 15 years old. I studied for a bachelor’s degree in computer science at a university in Norway, where I’m from. One thing that I really appreciate about this industry is that in IT and cybersecurity, there are so many different challenges to overcome. There are so many issues you can work on and so many things you can be curious about and I always really liked that.

During the summer of 2009, before the last year of my degree, I worked for the Tor project as part of the Google Summer of Code. After this internship ended, I stayed on the Tor project and volunteered to continue maintaining my project. Over time, Tor offered me a part-time contract and later a full-time contract.

Much of the work I do today was shaped by the four years I spent working with the Tor Project. When I first heard of Tor I thought it was cool that you could be anonymous online using technology. I haven’t considered who uses it or for what reason. But over the four years with Tor, I’ve met not only other people working in the same space, but also people from all over the world who have told me about their experiences with the tool and what it does. allowed them to do, which was an extremely positive experience. for me.

Brooke: What excites you most about protecting journalists?

runa: Around 2011, four projects got funding to train journalists to use the Tor browser and I ended up leading this project. We were putting together a program and quickly felt that it wasn’t much use teaching someone how to use a Tor browser to be safe online if they weren’t also familiar with it. with general security best practices, like passwords and two-factor authentication. and the importance of software updates. So we built a program around that. Later, I brought that experience with me to the Freedom of the Press Foundation and the New York Times.

The work I did with journalists is something I discovered, but looking back now, I think investigative journalism has a lot of the same themes as security research. It has the same puzzles, challenges, and digs that make me really curious and really interested. He also has this incredibly important mission behind him.

Brooke: What are you doing to protect journalists and groups or organizations at risk?

runa: For an individual to work safely, I consider digital security, physical security, emotional security and legal issues. Journalism safety really has to encompass all four buckets, so part of the work I do has been one-on-one conversations with journalists who want day-to-day safety tips, and helping them understand what they can do to s ‘to improve. They usually prepare a specific investigative project or plan a trip to a risk area.

I have worked closely with groups of people within media organizations made up of a mix of journalists, IT, security and legal departments to produce a security plan based on the challenges they face and the type of assistance the newsroom needs. Years ago, if you were a large corporation like The New York Times, The Washington Post, Microsoft, or Google, there were many large and complex cybersecurity frameworks to help you get a baseline and the steps to take. to improve yourself.

If you’re an individual looking to improve your security, there are guides from the Electronic Frontier Foundation and the Freedom of the Press Foundation that give you information such as “here’s how you use a password manager” and ” this is how you set up a two-factor password manager”. authentication,” but Ford Foundation fellow Matt Mitchell found that if you’re a small organization or team, there isn’t a good option available. He set up a committee to develop the Ford Foundation’s Cybersecurity Assessment Tool, designed for small organizations. It’s a really effective way to know where I am today and where the focus should be in the next year or two.

Brooke: What are the biggest threats you’ve seen in your work?

runa: If we talk about security issues that a journalist as an individual might face, we could talk about online account takeover and phishing scams. I recently gave a talk at Paranoia in Oslo about how media is hacked and the root cause of all these problems. If we talk about the organization the reporter works for, it comes down to a lack of two-factor authentication credential stuffing, bad passwords, phishing, and outdated systems.

Over the years my work has focused on the individual, but 10 years ago Tor was clunky and complex. We had VPNs. We had tools to fully encrypt your laptop drive, but they were clunky to use. There was a long text of steps to get everything up and running. People needed a lot of help using it. Nowadays we have all the tools and they are free or not very expensive. What’s missing now is that management buy-in to create the processes and workflows to ensure that newsrooms have all of these tools. Currently, it’s more of a bridge-building type challenge. I don’t think we necessarily lack tools. We just have to figure out how to put it back together.

Brooke: What are the biggest security challenges for journalists?

runa: A journalist is a journalist all day, every day. It’s not just a job, it’s an identity. They’re journalists, whether they’re in a movie theater with a home phone or at work with their corporate laptop. No matter what device they’re using, time of day, and location in the world, they’re still journalists and they’ll report if there’s anything to report. In an enterprise context, historically, we’ve focused on securing enterprise accounts, enterprise systems, and enterprise devices, but for roles like journalism and other activist groups, which are starting to crumble a bit. I think there needs to be a bigger conversation about how we do it to secure identities, as opposed to just corporate 9 to 5 stuff.

Another big challenge is creating enough support on the business side of the business to be able to provide adequate support to the newsroom. Journalists I’ve spoken to don’t question that they need to be safer and they need processes or tools. Once that is provided they are very willing to try things out. You just need to build that bridge and help the business side understand the challenges of the newsroom and the potential challenges it poses to the business, whether from a physical, digital or legal perspective. then find ways to fix it.

Supporting the work that the newsroom does means developing products, developing the content management system (CMS), distributing stories, producing new ways of reporting, retaining subscribers and funding journalists who go on international trips. ‘investigation. All of these things are incredibly important and sometimes more important than security. The challenge is where do I spend my resources knowing that everything is so limited?

There are many ways to improve your organization’s security and even if you don’t currently have the resources for the best and biggest product, there are still small things you can do. It’s about figuring out how to focus on that one thing you need to focus on, even if it’s just one person, two people, or a small team. At this point, not focusing on cybersecurity is not an option.

Learn more

To learn more about Microsoft security solutions, visit our website. Bookmark the Security Blog to follow our expert coverage on security issues. Also, follow us on @MSFTSecurity for the latest cybersecurity news and updates.


1Runa Sandvik’s new startup, Granitt, protects people at risk from hackers and nation states, Zack Whittaker. July 15, 2022.

Previous XCSSET malware updates with Python 3 to target macOS Monterey users
Next Why a Flying Hospital is in North Texas